Hi, Edit what package? The Microsoft WIndows 2000 server is already running pptp/vpn and working fine. All I'm trying to establish is whether it is possible to place it behind the firewall and forward the VPN connection to it so that the rest of the available ports/connections on the MS WIndows 2000 server machine aren't visible, (i.e. vulnerable), to attack. If, as has been stated, the forward rule simply does NAT on that particular port, 1723, for that particular protocol, TCP, that's all I need isn't it? To be clear - I am talking about connections to a permantly connected setup from outside - i.e. road warriors. TIA Andy On Friday 25 July 2003 18:14, Sven 'Darkman' Michels wrote:
Andy Bennett wrote:
Hi,
No. Briefly, I have come into the middle of a situation where a someone else has set up a system for a friend of mine in such a way that his MS VPN box is directly connected to the internet alongside his SuSEfirewall2 like this
Internet Exterior router
SuSEfirewall MS/VPN
My first thouht was that the guy had gone mad but then it occurred to me that maybe he knows something I don't. In any event I thought I'd ask here first.
I thought it should be possible to simply put something like
FW_FORWARD="0/0,192.168.1.2,tcp,1723
as Jorn Ott suggested to forward connections directly to the MS VPN machine and let it handle everything but, like I said, am I missing something?
As with ipsec etc. you cannot simply edit the packages (like NAT will do). So you cannot forward the connection i would guess. For your setup you will need to put the win maschine in Front of the firewall or setup the firewall itself as a PPTP Server (or if you need, as client). For PPTP from inside -> outside some masq modules exist (at least for Kernel 2.2.x, dunno if it's ported to 2.4 right now). Maybe such a masq modul would help for your forwarding problem, but i don't think so ;)
HTH, Sven