Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Help with SuSE firewall2 and VPN (long)
  • From: David Abraham <abraham@xxxxxxxxx>
  • Date: Fri, 16 Aug 2002 11:59:23 -0400 (EDT)
  • Message-id: <Pine.LNX.4.44.0208161113160.30230-100000@xxxxxxxxxxxxxxxxxxx>
I am having problems getting my VPN software to work correctly on a client
machine behind my SuSE 8.0 firewall box and was hoping for some help. The
client uses the Checkpoint Securemote client to connect to a remote
network. I found a FAQ page on changes to firewall rules to make this
work, but the instructions are a little unclear to me and I am not sure
how to integrate them with SuSEfirewall2. I have pasted part of the FAQ
and my current Firewall variables below. Suggestions would be very
welcome.

Thanks! David




The FAQ ( http://www.phoneboy.com/faq/0372.html ) suggests adding rules
like this:
fw1-ip is the external IP of your firewall
client-ip is your SecuRemote Client
linux-ip is the IP of your Linux host
ext_if refers to external interface

/usr/sbin/iptables -A input -s linux-ip -d fw1-ip -p udp --dport 500
-j ACCEPT
/usr/sbin/iptables -A input -s linux-ip -d fw1-ip -p 50 -j ACCEPT
/usr/sbin/iptables -A input -s fw1-ip -d linux-ip -p udp --dport 500
-j ACCEPT/usr/sbin/iptables -A input -s fw1-ip -d linux-ip -p udp
--dport 2746 -j ACCEPT
/usr/sbin/iptables -A input -s fw1-ip -d linux-ip -p 50 -j ACCEPT
/usr/sbin/iptables -A forward -s linux-ip -d fw1-ip -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o ext_if -j MASQUERADE



How should I do this with SuSEfirewall2?


variable in /etc/sysconfig/SuSEfirewall2
---------------------------------------
FW_DEV_EXT="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="113 ssh"
FW_SERVICES_EXT_UDP="domain"
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="domain"
FW_SERVICES_INT_UDP="domain"
FW_SERVICES_INT_IP="domain"
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="yes"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"




< Previous Next >
This Thread
  • No further messages