Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 & MS/VPN
  • From: Sven 'Darkman' Michels <sven@xxxxxxxxxx>
  • Date: Sat, 26 Jul 2003 03:50:25 +0200
  • Message-id: <3F21DE61.5070503@xxxxxxxxxx>
Andy Bennett wrote:
Hi,

Edit what package?

TCP Datapacket, not a package like a rpm or so ;)


The Microsoft WIndows 2000 server is already running pptp/vpn and working fine. All I'm trying to establish is whether it is possible to place it behind the firewall and forward the VPN connection to it so that the rest of the available ports/connections on the MS WIndows 2000 server machine aren't visible, (i.e. vulnerable), to attack.

i know what you're trying but AFAIK your setup isn't possible. Try to
establish a PPTP connection from a client BEHIND a gateway to some
VPN Server, without special modules it *WILL NOT* work. PPTP packets
must be passed thru, not handled like normal, masqueraded, packets.
If you reverse the setup, you'll see that DNAT is like masquerading
and so PPTP won't work in your setup. You can put the M$ box behind
a suse firewall if you have an official IP for the box, too. Then just
close all exept the PPTP Port and the maschine is as safe as in your
currently setup it would be (if it would work ;)


If, as has been stated, the forward rule simply does NAT on that particular port, 1723, for that particular protocol, TCP, that's all I need isn't it?

it isn't. As i said, afaik you cannot simply NAT PPTP Packets.


To be clear - I am talking about connections to a permantly connected setup from outside - i.e. road warriors.

I know ;)

so, HTH and good night (sorry for typos.. it's nearly 4 am and i'm
just back from a party %-)

Sven


< Previous Next >