Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall config with pptpd help
  • From: Daniel Nilsson <dnilsson@xxxxxxxxxx>
  • Date: Mon, 30 Jul 2001 18:53:13 -0400
  • Message-id: <3B65E559.4080100@xxxxxxxxxx>
Hi Ian,

I have been able to get the VPN server running. I'm concerned though that I had to open up
to much in my firewall config to make this possible. I don't have access to the firewall config
file right now but what I did is that I added all the possible ppp adapters to FW_DEV_INT
and then I added a forwarding rule for all ports with source and destination of 192.168.1.0/24
like this:

FW_FORWARD_TCP="192.168.1.0/24,192.168.1.0/24,1:65535" # Beware to use this!
FW_FORWARD_UDP="192.168.1.0/24,192.168.1.0/24,1:65535" # Beware to use this!
FW_FORWARD_IP="192.168.1.0/24,192.168.1.0/24,1" # Beware to use this!

What I don't understand though is how to limit the destination of these packages to be
one of the ppp adapters and not my FW_DEV_WORLD adapter. Maybe packages
from 192.168.1.0/24 will be denied from FW_DEV_WORLD, but I have no way of testing
that. I'm also not sure if the FORWARD rule overrides the INPUT rule or not, that if , if
packets entered FW_DEV_WORLD from a source of 192.168.1.0/24 will they be forwarded
to the internal network even though they are not open in:

FW_SERVICES_EXTERNAL_TCP="" # Common: smtp domain
FW_SERVICES_EXTERNAL_UDP="" # Common: domain

I clerly need to spend some more time understanding these rules. If anyone on the list has some
information on how to properly setup incoming VPN connections to a pptpd running on the firewall that
would be very helpful...

Thanks
Daniel Nilsson

Ian F. Silver wrote:

Dear Daniel,

I saw your post to the SuSE-Security mailing list where you were asking
about setting up a VPN/PTPTP connection from the outside world to your
192.168.1.0/24 masqueraded address machines on the internal side of
the SuSEfirewall you've set up.

I've got an almost _identical_ setup to yours, and am exploring the exact
same options as you, though I don't think I'm quite as far along as you
are (I haven't set up PPTPD yet, I'm still in the exploration/information
seeking phase).

I was seriously thinking of switching firewall packages over to Astaro's
offering due to all the features it has, but since I've been happy with
the SuSEfirewall package to date, I'd like to stick with it if possible.

Have you had any luck so far with your configuration of a VPN with
SuSEfirewall? If so, would you be willing to share your configs (minus
any sensitive info/passwords of course!) to give me a leg up in getting
farther along this path? If I can come up with any insights, of course
I'll be willing to share them in return. :-)

Sincerely,
Ian F. Silver





< Previous Next >
This Thread
  • No further messages