Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Wed, 16 Jul 2003 21:43:08 +0200
  • Message-id: <20030716214307.B2796@xxxxxxxxx>
* Kostyal Daniel wrote on Wed, Jul 16, 2003 at 19:34 +0300:
> Thank you very much.
> You were right. The problem was that the ipsec0 interface was in FW_DEV_EXT,
> not in FW_DEV_INT.

I do not know if this is right for you also. In my case, there is
exactly one trusted VPN peer. I don't want to filter anything
between all the LANs, so for me it is right :-)

> I put it there because the SuSEfirewall2 manual says:
> "Also, you need to add ipsec0 to the FW_DEV_EXT variable".
> Will this be a security issue???????

Well, I must admit that I do not understand SuSEfirewall2. I just
saw some EXT/DMZ/INT structure. I do not know if EXT/EXT/INT/INT
or more complex topologies are supported, well, I doubt that for
a desktop linux system such things are neccesary - a own script
should be needed anyway.

Well, for 2.0.x and 2.2.x I had an own script. Beside controlling
of some general features such as rp_filter and friends, it's
configuration file consists of "rules", basically in the form:

#DHCP
input: any:68 any:67 udp ACCEPT -i eth0
#NTP (dont try this @home :-))
input: ntps2-0:123 any:123 udp ACCEPT
input: ntps2-1:123 any:123 udp ACCEPT
input: ntps2-2:123 any:123 udp ACCEPT
#some other LAN
forward: 192.168.9.0/24 192.168.101.0/24 all ACCEPT -b

and so on. I cannot imagine how this can be easily abstracted
except with ACL-style things. Well, and for the guys that have
multiple cascaded firewalls, as companies, they can buy a
Firewall-on-cd licence for it (don't know, if you need a licence
for every firewall, this can get expensive). I guess it is
supported to configure end-to-end connections, the some tool
calculates which firewalls need which rules, but I don't know. I
had never the time to look at the firewall on cd and I read not
so many things about that here.

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >