-----Original Message----- From: Mathias Homann [mailto:admin@eregion.de] Sent: Wednesday, December 10, 2003 3:12 PM To: Administrator Subject: Re: [suse-security] Hints for Frees/WAN on SuSEFirewall2- protected systems?
Am Mittwoch, 10. Dezember 2003 23:59 schrieben Sie:
Hoping I can help I only saw this thread just now. I have two SuSE 8.0 systems running both FreeSwan and a firewall. I dont use the SuSEFirewall however they are all based on IPTables. If you dont mind re-posing your initial question I can try my best to help.
Hi,
i got two suse 8.0 systems. Frees/WAN up and running, as far as i can say. in /var/log/messages i see something that looks like a sucessful handshake, and after that the systems have the proper routing tables. Now, how do i tweak SuSEfirewall2 to make the tunnel actually work?
Subnet behind box1: 192.168.238.0/24 Subnet behind box2: 192.168.237.0/24 Connectivity in both cases: eth0 points to internal net, ipsec0 (via
Ok I snipped the following lines from my firewall script. Note that $INGLEWOOD is the address of the remote server. ## the lines below allow incoming traffic from trusted sources. (ie ## $INGLEWOOD, or 10.0.0.0/24 which is the remote subnet) $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -s $INGLEWOOD -j ACCEPT IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -s 10.0.0.0/24 -j ACCEPT ## this basically allows outgoing traffic to the trusted remote. I always ## log outgoing traffic that has not been explicitly allowed this way I can ## catch services or apps trying to connect to somewhere they shouldn't be $IPTABLES -A OUTPUT -d $INGLEWOOD -j ACCEPT $IPTABLES -A OUTPUT -d 10.0.0.0/24 -j ACCEPT ## this part is very important. If your firewall is masquerading traffic you ## have to tell it not to masquerade traffic outgoing to yrou VPN $IPTABLES -t nat -A POSTROUTING -o $EXTIF ! -d 10.0.0.0/24 -j SNAT --to $EXTIP If I'm not mistaken SuSEFirewall initializes in three parts the second portian having the actual script. You can add these lines directly or define them by variables that can be changed elsewhere. Me personally I always advocate creating yrou own firewall script this way you can control and understand exactly what it does. Hope this helped pppß
which is DSL over eth1) is the tunnel. What do i put where in /etc/sysconfig/SuSEfirewall to make the tunnel work?
bye, MH
-- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt!
gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C