[opensuse] SuSEfirewall2 & PPTP SERVER SFW2-FWDint-DROP-DEFLT IN=ppp0
10.2 and 10.3 are wonderful! What an improvement over the old 8.2! Are there any doc's on how to set up SuSE 10.2 (or equiv) PPTP SERVER with SuSEfirewall2? I have looked all over and found VPN Client configs but no Server configs that are current and not much on the firewall with vpn's. All thoughts and comments are very welcome. Happy New Year! Why? I had done it on SuSE 8.2 so I took a stab at it on 10.2. I am able to connect and validate passwords etc. I can Ping the Server host IP (192.168.1.1). I can ping my ppp0 (192.168.225.1) ip address on the firewall. I can even VNC into the 192.168.1.1(the firewall ip)! I can not get on to the rest of the INTernal network (192.168.1.25)? ERROR: Jan 3 22:23:20 gate kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth2 SRC=192.168.224.1 DST=192.168.1.25 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=2316 PROTO=ICMP TYPE=8 CODE=0 ID=39955 SEQ=1280 I am one of those that have had good success with SuSEfirewall2 in the past but I am confused this time. ETH2 = 192.168.1.1 # internal network PPP0 = 192.168.224.1 I want to get to 192.168.1.25 Sysconfig->SuSEfirewall2: (I grep'd off comments & null parameters "" for space) FW_DEV_EXT="eth-id-00:15:e9:80:db:e9" FW_DEV_INT="eth-id-00:0e:0c:d7:f9:f9 eth-id-00:0f:1f:f8:26:c5 ppp0 ppp1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="https imaps pop3s pptp smtp 1723" FW_SERVICES_EXT_IP="47" FW_SERVICES_INT_TCP="80" FW_SERVICES_INT_UDP="ntp icmp" FW_SERVICES_INT_IP="47" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_BROADCAST_EXT="no" FW_ALLOW_FW_BROADCAST_INT="ntp" FW_ALLOW_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_REJECT_INT="yes" FW_IPSEC_TRUST="no" All other param's are "" defaulted. Any Help is greatly appreciated. Many Thanks! We have about 40 SuSE linux systems and a mess of Windoze systems! Tim Ertl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Freitag, 4. Januar 2008 05:03:55 schrieb Tim Ertl:
10.2 and 10.3 are wonderful! What an improvement over the old 8.2!
Are there any doc's on how to set up SuSE 10.2 (or equiv) PPTP SERVER with SuSEfirewall2? I have looked all over and found VPN Client configs but no Server configs that are current and not much on the firewall with vpn's. All thoughts and comments are very welcome. Happy New Year! Why? I had done it on SuSE 8.2 so I took a stab at it on 10.2. I am able to connect and validate passwords etc. I can Ping the Server host IP (192.168.1.1). I can ping my ppp0 (192.168.225.1) ip address on the firewall. I can even VNC into the 192.168.1.1(the firewall ip)! I can not get on to the rest of the INTernal network (192.168.1.25)?
PPTP is another beast... Look below.
ERROR: Jan 3 22:23:20 gate kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth2 SRC=192.168.224.1 DST=192.168.1.25 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=2316 PROTO=ICMP TYPE=8 CODE=0 ID=39955 SEQ=1280
I am one of those that have had good success with SuSEfirewall2 in the past but I am confused this time. ETH2 = 192.168.1.1 # internal network PPP0 = 192.168.224.1 I want to get to 192.168.1.25
Sysconfig->SuSEfirewall2: (I grep'd off comments & null parameters "" for space) FW_DEV_EXT="eth-id-00:15:e9:80:db:e9" FW_DEV_INT="eth-id-00:0e:0c:d7:f9:f9 eth-id-00:0f:1f:f8:26:c5 ppp0 ppp1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="https imaps pop3s pptp smtp 1723" FW_SERVICES_EXT_IP="47" FW_SERVICES_INT_TCP="80" FW_SERVICES_INT_UDP="ntp icmp" FW_SERVICES_INT_IP="47" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_BROADCAST_EXT="no" FW_ALLOW_FW_BROADCAST_INT="ntp" FW_ALLOW_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_REJECT_INT="yes" FW_IPSEC_TRUST="no" All other param's are "" defaulted.
Looks like you need FW_LOAD_MODULES="ip_conntrack_pptp" If you plan to use pptp in the other direction, from you masqueraded LAN to the ouside, you must add ip_nat_pptp, too.
Any Help is greatly appreciated. Many Thanks! We have about 40 SuSE linux systems and a mess of Windoze systems!
Herbert -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Herbert, Many thanks for your reply. I had not seen that problem. My first attempt to load SuSEfirewall2 failed but I googled around and saw that I did not modprobe it (should have been obvious). The fix you gave me seemed to have helped others but did not help me. The system log did not report any errors except of course the: Jan 4 10:08:26 gate kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth2 SRC=192.168.224.1 DST=192.168.1.25 LEN= 40 TOS=0x00 PREC=0x00 TTL=30 ID=1 PROTO=TCP SPT=1090 DPT=5900 WINDOW=0 RES=0x00 ACK RST URGP=0 I also did the ip_nat_pptp just in case and that did not help either. I am looking at some googled ideas like adding some custom iptables stuff. Unfortunately I am not very up on them. I guess its time for me to learn. Thanks again! Tim Ertl -----Original Message----- From: Herbert Graeber [mailto:lists@graeber-clan.de] Sent: Friday, January 04, 2008 5:25 AM To: opensuse@opensuse.org Subject: Re: [opensuse] SuSEfirewall2 & PPTP SERVER SFW2-FWDint-DROP-DEFLT IN=ppp0 Am Freitag, 4. Januar 2008 05:03:55 schrieb Tim Ertl:
10.2 and 10.3 are wonderful! What an improvement over the old 8.2!
Are there any doc's on how to set up SuSE 10.2 (or equiv) PPTP SERVER with SuSEfirewall2? I have looked all over and found VPN Client configs but no Server configs that are current and not much on the firewall with vpn's. All thoughts and comments are very welcome. Happy New Year! Why? I had done it on SuSE 8.2 so I took a stab at it on 10.2. I am able to connect and validate passwords etc. I can Ping the Server host IP (192.168.1.1). I can ping my ppp0 (192.168.225.1) ip address on the firewall. I can even VNC into the 192.168.1.1(the firewall ip)! I can not get on to the rest of the INTernal network (192.168.1.25)?
ERROR: Jan 3 22:23:20 gate kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth2 SRC=192.168.224.1 DST=192.168.1.25 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=2316 PROTO=ICMP TYPE=8 CODE=0 ID=39955 SEQ=1280
I am one of those that have had good success with SuSEfirewall2 in the
PPTP is another beast... Look below. past
but I am confused this time. ETH2 = 192.168.1.1 # internal network PPP0 = 192.168.224.1 I want to get to 192.168.1.25
Sysconfig->SuSEfirewall2: (I grep'd off comments & null parameters "" for space) FW_DEV_EXT="eth-id-00:15:e9:80:db:e9" FW_DEV_INT="eth-id-00:0e:0c:d7:f9:f9 eth-id-00:0f:1f:f8:26:c5 ppp0 ppp1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="https imaps pop3s pptp smtp 1723" FW_SERVICES_EXT_IP="47" FW_SERVICES_INT_TCP="80" FW_SERVICES_INT_UDP="ntp icmp" FW_SERVICES_INT_IP="47" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_BROADCAST_EXT="no" FW_ALLOW_FW_BROADCAST_INT="ntp" FW_ALLOW_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_REJECT_INT="yes" FW_IPSEC_TRUST="no" All other param's are "" defaulted.
Looks like you need FW_LOAD_MODULES="ip_conntrack_pptp" If you plan to use pptp in the other direction, from you masqueraded LAN to the ouside, you must add ip_nat_pptp, too.
Any Help is greatly appreciated. Many Thanks! We have about 40 SuSE linux systems and a mess of Windoze systems!
Herbert -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
FIXED! I am not sure this is too wide open but everything works now. I made a couple of simplistic tests without defining any source or dest ports and got things to work. I added the following 4 lies to the /etc/sysconfig/scripts/SuSEfirewall-custom script. This didn't work at first When I looked at the SuSEfirewall2 start script and saw that the /etc/sysconfig/SuSEfirewall2 config file had a FW_CUSTOMRULES= that was commented out. NOW I AM Working. If this was a dangerous fix I would appreciate comments... for PA in ppp0 ppp1 ppp2 ppp3 ppp4 ppp5 ppp6 ppp7 ppp8 ppp9 ppp10; do iptables -A forward_int -o $PA -i eth2 -j ACCEPT iptables -A forward_int -i $PA -o eth2 -j ACCEPT done Thanks for your help! Tim Ertl -----Original Message----- From: Tim Ertl [mailto:tim@lmrgroup.com] Sent: Friday, January 04, 2008 11:19 AM To: 'Herbert Graeber'; opensuse@opensuse.org Subject: RE: [opensuse] SuSEfirewall2 & PPTP SERVER SFW2-FWDint-DROP-DEFLT IN=ppp0 Herbert, Many thanks for your reply. I had not seen that problem. My first attempt to load SuSEfirewall2 failed but I googled around and saw that I did not modprobe it (should have been obvious). The fix you gave me seemed to have helped others but did not help me. The system log did not report any errors except of course the: Jan 4 10:08:26 gate kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth2 SRC=192.168.224.1 DST=192.168.1.25 LEN= 40 TOS=0x00 PREC=0x00 TTL=30 ID=1 PROTO=TCP SPT=1090 DPT=5900 WINDOW=0 RES=0x00 ACK RST URGP=0 I also did the ip_nat_pptp just in case and that did not help either. I am looking at some googled ideas like adding some custom iptables stuff. Unfortunately I am not very up on them. I guess its time for me to learn. Thanks again! Tim Ertl -----Original Message----- From: Herbert Graeber [mailto:lists@graeber-clan.de] Sent: Friday, January 04, 2008 5:25 AM To: opensuse@opensuse.org Subject: Re: [opensuse] SuSEfirewall2 & PPTP SERVER SFW2-FWDint-DROP-DEFLT IN=ppp0 Am Freitag, 4. Januar 2008 05:03:55 schrieb Tim Ertl:
10.2 and 10.3 are wonderful! What an improvement over the old 8.2!
Are there any doc's on how to set up SuSE 10.2 (or equiv) PPTP SERVER with SuSEfirewall2? I have looked all over and found VPN Client configs but no Server configs that are current and not much on the firewall with vpn's. All thoughts and comments are very welcome. Happy New Year! Why? I had done it on SuSE 8.2 so I took a stab at it on 10.2. I am able to connect and validate passwords etc. I can Ping the Server host IP (192.168.1.1). I can ping my ppp0 (192.168.225.1) ip address on the firewall. I can even VNC into the 192.168.1.1(the firewall ip)! I can not get on to the rest of the INTernal network (192.168.1.25)?
ERROR: Jan 3 22:23:20 gate kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth2 SRC=192.168.224.1 DST=192.168.1.25 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=2316 PROTO=ICMP TYPE=8 CODE=0 ID=39955 SEQ=1280
I am one of those that have had good success with SuSEfirewall2 in the
PPTP is another beast... Look below. past
but I am confused this time. ETH2 = 192.168.1.1 # internal network PPP0 = 192.168.224.1 I want to get to 192.168.1.25
Sysconfig->SuSEfirewall2: (I grep'd off comments & null parameters "" for space) FW_DEV_EXT="eth-id-00:15:e9:80:db:e9" FW_DEV_INT="eth-id-00:0e:0c:d7:f9:f9 eth-id-00:0f:1f:f8:26:c5 ppp0 ppp1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="https imaps pop3s pptp smtp 1723" FW_SERVICES_EXT_IP="47" FW_SERVICES_INT_TCP="80" FW_SERVICES_INT_UDP="ntp icmp" FW_SERVICES_INT_IP="47" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_BROADCAST_EXT="no" FW_ALLOW_FW_BROADCAST_INT="ntp" FW_ALLOW_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_REJECT_INT="yes" FW_IPSEC_TRUST="no" All other param's are "" defaulted.
Looks like you need FW_LOAD_MODULES="ip_conntrack_pptp" If you plan to use pptp in the other direction, from you masqueraded LAN to the ouside, you must add ip_nat_pptp, too.
Any Help is greatly appreciated. Many Thanks! We have about 40 SuSE linux systems and a mess of Windoze systems!
Herbert -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Freitag, 4. Januar 2008 19:30:05 schrieb Tim Ertl:
FIXED!
[...]
NOW I AM Working. If this was a dangerous fix I would appreciate comments...
for PA in ppp0 ppp1 ppp2 ppp3 ppp4 ppp5 ppp6 ppp7 ppp8 ppp9 ppp10; do iptables -A forward_int -o $PA -i eth2 -j ACCEPT iptables -A forward_int -i $PA -o eth2 -j ACCEPT done
Looks save because it forwards between internal interfaces only. I have overlooked another problem in your SuSEfirewall configuration. You must activate class routing. This means that packets between interfaces belonging to the same class (Eg, externa, internal, ...) will be routet to each other. Add FW_ALLOW_CLASS_ROUTING="yes" to your configuration. Instead of yes you can use the zone name (int) instead. This works more or less like your fix. Cheers Herbert -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Herbert, Thank you for your help! I guess not too many people use these vpn's since there isn't even a how to on it. Thanks again! Tim Ertl -----Original Message----- From: Herbert Graeber [mailto:lists@graeber-clan.de] Sent: Friday, January 04, 2008 2:04 PM To: opensuse@opensuse.org Subject: Re: [opensuse] SuSEfirewall2 & PPTP SERVER SFW2-FWDint-DROP-DEFLT IN=ppp0 Am Freitag, 4. Januar 2008 19:30:05 schrieb Tim Ertl:
FIXED!
[...]
NOW I AM Working. If this was a dangerous fix I would appreciate comments...
for PA in ppp0 ppp1 ppp2 ppp3 ppp4 ppp5 ppp6 ppp7 ppp8 ppp9 ppp10; do iptables -A forward_int -o $PA -i eth2 -j ACCEPT iptables -A forward_int -i $PA -o eth2 -j ACCEPT done
Looks save because it forwards between internal interfaces only. I have overlooked another problem in your SuSEfirewall configuration. You must activate class routing. This means that packets between interfaces belonging to the same class (Eg, externa, internal, ...) will be routet to each other. Add FW_ALLOW_CLASS_ROUTING="yes" to your configuration. Instead of yes you can use the zone name (int) instead. This works more or less like your fix. Cheers Herbert -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Herbert Graeber -
Tim Ertl