Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
RE: Re: [suse-security] Firewall script
Axel Sintermann <Axel.Sintermann@xxxxxxxxxx> wrote the Nov 27, 2003 3:45 PM:
> Would you mind to mention what kind of instance this was?
>
Sure.
I needed to terminate Microsoft PPTP VPN on an internal machine running MS PPTP VPN Server.
The Susefirewall2 script allows you to terminate these sessions on the firewall directly with no problem.

My problem was that I needed the MS Authentication to occur and being a firewall, I did not want to run SMB or allow the FW to query the auth to the NT system.

I set up an allow rule for the IP addesses of the various users (simple because all had fixed IP)
Then I installed a little script (pptpproxy) ala freshmeat.
(I had a look at this dudes code and it is very neat and clean - ok, so I am no programmer, but it looks pretty good)

To run the PPTPROXY, I configured ini /etc/sysconfig/SuSEfirewall2
[snip]
# Common: ssh smtp domain
FW_SERVICES_EXT_TCP="1721"

## Type: string
# Common: domain syslog
FW_SERVICES_EXT_UDP=""

# For VPN/Routing which END at the firewall!!
FW_SERVICES_EXT_IP="gre"
[/snip]

and did the same for FW_SERVICES_DMZ_IP

This did allow me to run a very neat little app that proxied the connection between interfaces.
(could use this for any number of protocols (gre=47)

> I still don't know how to use the
> iptables -I OUTPUT --match owner --uid-owner foobar [...]
> feature _within_ SuSEfirewall2 (SuSE 8.1).
>
> (No problem to do this separately from SuSEfirewall2; the solution
> is right there above.)

Yup, the real problem was that SuSEfirewall2 did not allow that to be configured, I didn't want (eventually) to use the direct IPtables commands as if I am not available and somebody else has to admin the box that type of stuff gets forgotten.
Keep it simple and it is supportable by a number of people.

> Hints, anybody?

no more from me sorry, anyone else?


< Previous Next >