Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Wed, 16 Jul 2003 18:17:01 +0200
  • Message-id: <20030716181701.A2796@xxxxxxxxx>
* Kostyal Daniel wrote on Wed, Jul 16, 2003 at 16:57 +0300:
> 1 Suse 8.0, 2 NIC's, freeswan VPN. All I want is to use the VPN, have acces
> from the remote network to the Samba service installed on the same computer,
> and to access ssh from anywhere. Nothing else. Thanx.

I have SuSE 8.2 as roadwarrior with freeswan + SuSEfirewall2.

The SuSEfirewall2 seems to make a lot of assumptions. It seems
you either live with it, or don't use it :-) for instance,
FW_SERVICE_AUTODETECT="yes" seems to work only if the services
are running locally (otherwise, I couldn't imagine how it should
work).

Please correct me if I'm wrong and give improved examples!

Setup: ipsec0 with 192.168.1.0/24 <-> 192.168.2.0/24. eth1
internal LAN.

1. if you allow something from ext, you have to allow it for
everyone. set:
FW_SERVICES_EXT_UDP="500"
FW_SERVICES_EXT_IP="50 51"
to allow everyone (!) to access ISAKMP and ESP/AH.

2. make ipsec0 an internal interface:
FW_DEV_INT="eth1 ipsec0"

3. Try to make it working. I set
FW_PROTECT_FROM_INTERNAL="no"
FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24"
(it seems to be assumed, that trusted networks are on the
internal interfaces only, because it seems an explicit DROP
rule is cerated on external interface)

4. FW_KERNEL_SECURITY="no"
to disable "rp_filter" feature. It seems to be assumed that
you either want many or none of the kernel security features.

5. Because I just have one external interface and no DMZ, I set:
FW_ALLOW_CLASS_ROUTING="yes"
I didn't found a FW_ALLOW_INTERNAL_ROUTING or
FW_ALLOW_TRUSTED_ROUTING.

Finally, the portscan from external looks good so I can live with
it :-)

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >
Follow Ups