Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSEFirewall2, FreeS/WAN and VPN
  • From: "Argentium G. Tiger" <agtiger@xxxxxxxxx>
  • Date: Fri, 18 Jan 2002 09:33:08 -0600
  • Message-id: <5.1.0.14.2.20020118093305.03657980@xxxxxxxxxxxxxxxxxxxx>
Kai writes:

what's about the kernel parameter rp_filter?! There is for each network
device a dir in /proc/sys/net/ipv4/conf/ !

Yes, I see those settings there...

And for IPSec it must be set to "0" (the default value, I think)!!

Yes, before the SuSEfirewall2 script runs, these are 0.

The
/sbin/SuSEfirewall2 script look at start time for ipsec devices (in v2.0 ->
less +522 /sbin/SuSEfirewall2), but is there no IPSec device present the
rp_filter parmeter ist set to "1"!
May you want to set them all to "0":
for i in /proc/sys/net/ipv4/conf/* ; do { echo "1" > $i/rp_filter ; } done ;

Okay, but: When?

If that dosen't help you can switch off the kernel security at #17 in
/etc/rc.config.d/firewall2.rc.config.

I checked, it's already off. I left it off until I got a working config,
which I don't appear to have yet. I'm trying to give myself the best
chance for success. :-)

A litte bug on the /sbin/SuSEfirewall2 script is that the changes on the
kernel parameteres are a one-way-ticket! Once set the script didn't roll it
back to the original values if you stop/refresh/reload the firewall, so the
only way I see is to reboot the machine (or roll back the values by hand ;-)

Thank you, I didn't know that!

btw. works IPSec correctly if you didn't start the firewall?!

On one end, I'm already behind a CISCO PIX firewall, so I have the luxury
of not running the firewall. On the other end, I'm wide open to the world,
and I'm not willing to shut the firewall down. That strikes me as
downright dangerous.

PS remember: you CAN'T ping from one IPSec router to the other!!! You must
use other IPs than the route IPs a source / target IPs for ping tests:
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/faq.html#cantping

A good reminder, thank you.

PSS Very important (the real trick):
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/faq.html#masq.faq

Thanks... though with SuSEfirewall2 in play, I'm not sure how to issue
manual commands with IPTables and not screw up what SuSEfirewall2 has
done for me.

The prospect of manually creating firewall scripts is not a pretty one.
I have a bunch of port forwarding going on. :-(

Have a nice day....

I'll try, thanks.



< Previous Next >