Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] how to enable ipsec over firewall?
  • From: Jochen Staerk <jochen.staerk@xxxxxxxxxxxxx>
  • Date: Tue, 17 Sep 2002 11:49:55 +0200
  • Message-id: <3D86FAC3.5080002@xxxxxxxxxxxxx>
Hi Michael,

In case someone knows about the 8er 2.4 kernel-firewall2-config please
answer as well we might be able to update this.

Hääää????

Translated: In case you knew how to configure Suse 8, i'll get Suse 8 running on our firewall. ;)

Do I need to apply a kernel patch?


Yep, download as above. The extra rules comes here in SuSEfirewall 2

Okay, I used Suse 8 free s/wan since it was in a version that also way at the site you mentioned, and installed the free s/wan kernel module that Suse provides.

FW_DEV_IPSEC="ipsec0"

Okay, the silly thing is that I don't have such an device in /dev/etc. I should probably check my free s/wan configuration?

http://www.suse.com/~marc/SuSEfirewall2-2.1.tar.gz

I checked that and it does seem to be the same 2.1-er-version that comes with Suse 8.

Line 306 of the executable scans for FW_DEV_IPSEC, but does expect a "yes" instead of a device?
echo " $FW_DEV_EXT $FW_DEV_DMZ $FW_DEV_INT " | grep -q ipsec && FW_DEV_IPSEC=yes

from line 537 it also tests for FW_DEV_IPSEC
for i in /proc/sys/net/ipv4/conf/*; do
echo 0 > $i/accept_redirects 2> /dev/null
echo 0 > $i/accept_source_route 2> /dev/null
test -z "$FW_DEV_IPSEC" && echo 1 > $i/rp_filter 2> /dev/null
echo 0 > $i/mc_forwarding 2> /dev/null
done


As to your configuration, you write "extra rules", so I understand to append them. I just wanted to remark that there do not seem to be some kind of defaults for ipsec - rule 19 is about
# 19.)
# Allow (or don't) ICMP echo pings on either the firewall or the dmz from
# the internet? The internet option is for allowing the DMZ and the internal
# network to ping the internet.
and Rule 20 is "Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall."

Take a look at rule 21. Seems to be one answer on your questions!

Actually it does, yes, and thanks.

bye,
Jochen


< Previous Next >
References