Hello Harald and Steffen, some days ago I asked about IPSEC and SuSEFirewall2, so do I understand you correctly, that all I should do is to MASQ the internal interface and then FORWARD_MASQ from outside to internal like in: FW_FORWARD_MASQ=${FW_FORWARD_MASQ}" 0/0,192.168.xxx.yyy,50" after modifying the Firewall-scripts according to Harald's post ? Did you do something different on your production system, Steffen ? TIA, Philipp Rusch Harald Wallus schrieb:
Am Dienstag, 12. November 2002 12:21 schrieb Steffen Dettmer:
* Hannu Hirvonen wrote on Tue, Nov 12, 2002 at 12:20 +0200:
On Tuesday 12 November 2002 12:12, you wrote:
What does that mean? I thing, it should be no problem to open protocol 47 with iptables.
That is protocoll 47, not port 47. You know, protocoll 1 is ICMP, protocoll 6 is TCP, protocoll 17 is UDP etc., 47 is GRE (General Routing Encapsulation).
Yes, I know that we don't talk about TCP or UDP ports but about IP protocols. My man iptables reads as it follows:
-p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value,
So I would expect "--protocol 47" to match any IP protocol 47, (of course without any content inspection). With ipchains, I'm sure that this works for protocol 50 (IPSec ESP) as I use it in production :)
Steffen is right. I do it like this with SuSEFirewall:
FW_FORWARD_MASQ=${FW_FORWARD_MASQ}" 0/0,192.168.xxx.yyy,47 "
192.168.xxx.yyy is my MS VPN-Server. But I have patched the SuSEfirewall2 script: I use the version from SuSE8.0 and this is at line about 1320:
test "$PROTO" = tcp -o "$PROTO" = udp -o "$PROTO" = 47 || { echo "Error: The protocol with FW_MASQ_NETS must be tcp or udp or 47 -> $NETS" NET2="" } test ! "$PROTO" = 47 -a -z "$PORT1" && { echo "Error: Port missing in FW_MASQ_NETS -> $NETS" NET2="" } You see, I just have allowed 47 for PROTO and say it is now error if $PROTO=47 has no port. (Be carefull with the linebreaks, I use kmail!)
Greetings Harald
-- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here