Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 & MS/VPN
  • From: Andy Bennett <andy@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 25 Jul 2003 20:35:07 +0100
  • Message-id: <200307252035.07340.andy@xxxxxxxxxxxxxxxxxxxxx>

Edit what package? The Microsoft WIndows 2000 server is already running
pptp/vpn and working fine. All I'm trying to establish is whether it is
possible to place it behind the firewall and forward the VPN connection to it
so that the rest of the available ports/connections on the MS WIndows 2000
server machine aren't visible, (i.e. vulnerable), to attack.

If, as has been stated, the forward rule simply does NAT on that particular
port, 1723, for that particular protocol, TCP, that's all I need isn't it?

To be clear - I am talking about connections to a permantly connected setup
from outside - i.e. road warriors.


On Friday 25 July 2003 18:14, Sven 'Darkman' Michels wrote:
> Andy Bennett wrote:
> > Hi,
> >
> > No. Briefly, I have come into the middle of a situation where a someone
> > else has set up a system for a friend of mine in such a way that his MS
> > VPN box is directly connected to the internet alongside his SuSEfirewall2
> > like this
> >
> > Internet
> >
> > Exterior router
> >
> > SuSEfirewall MS/VPN
> >
> > My first thouht was that the guy had gone mad but then it occurred to me
> > that maybe he knows something I don't. In any event I thought I'd ask
> > here first.
> >
> > I thought it should be possible to simply put something like
> >
> > FW_FORWARD="0/0,,tcp,1723
> >
> > as Jorn Ott suggested to forward connections directly to the MS VPN
> > machine and let it handle everything but, like I said, am I missing
> > something?
> As with ipsec etc. you cannot simply edit the packages (like NAT will
> do). So you cannot forward the connection i would guess. For your setup
> you will need to put the win maschine in Front of the firewall or setup
> the firewall itself as a PPTP Server (or if you need, as client). For
> PPTP from inside -> outside some masq modules exist (at least for Kernel
> 2.2.x, dunno if it's ported to 2.4 right now). Maybe such a masq modul
> would help for your forwarding problem, but i don't think so ;)
> HTH,
> Sven

< Previous Next >