Mailinglist Archive: opensuse-security (394 mails)

< Previous Next >
RE: [suse-security] Hints for Frees/WAN on SuSEFirewall2-protected systems?
  • From: Administrator <admin@xxxxxxxxxxxxxx>
  • Date: Wed, 10 Dec 2003 15:39:09 -0800
  • Message-id: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAACwMjaagd1hG6pwAGW0qIxsKAAAAQAAAAtq5Bb88I1k6eg+Nfel3bQwEAAAAA@xxxxxxxxxxxxxx>


Ok I snipped the following lines from my firewall script. Note that
$INGLEWOOD is the address of the remote server.


## the lines below allow incoming traffic from trusted sources. (ie
## $INGLEWOOD, or 10.0.0.0/24 which is the remote subnet)
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -s
$INGLEWOOD -j ACCEPT
IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -s
10.0.0.0/24 -j ACCEPT

## this basically allows outgoing traffic to the trusted remote. I
always ## log outgoing traffic that has not been explicitly allowed
this way I can ## catch services or apps trying to connect to somewhere
they shouldn't be
$IPTABLES -A OUTPUT -d $INGLEWOOD -j ACCEPT
$IPTABLES -A OUTPUT -d 10.0.0.0/24 -j ACCEPT


## this part is very important. If your firewall is masquerading traffic
you ## have to tell it not to masquerade traffic outgoing to yrou VPN
$IPTABLES -t nat -A POSTROUTING -o $EXTIF ! -d 10.0.0.0/24 -j SNAT --to
$EXTIP

If I'm not mistaken SuSEFirewall initializes in three parts the second
portian having the actual script. You can add these lines directly or
define them by variables that can be changed elsewhere. Me personally I
always advocate creating yrou own firewall script this way you can
control and understand exactly what it does. Hope this helped

> -----Original Message-----
> From: Mathias Homann [mailto:admin@xxxxxxxxxx]
> Sent: Wednesday, December 10, 2003 3:12 PM
> To: Administrator
> Subject: Re: [suse-security] Hints for Frees/WAN on SuSEFirewall2-
> protected systems?
>
> Am Mittwoch, 10. Dezember 2003 23:59 schrieben Sie:
> > Hoping I can help I only saw this thread just now. I have two SuSE
8.0
> > systems running both FreeSwan and a firewall. I don’t use the
> > SuSEFirewall however they are all based on IPTables. If you don’t
mind
> > re-posing your initial question I can try my best to help.
>
>
> Hi,
>
>
> i got two suse 8.0 systems. Frees/WAN up and running, as far as i can
say.
> in /var/log/messages i see something that looks like a sucessful
> handshake,
> and after that the systems have the proper routing tables.
> Now, how do i tweak SuSEfirewall2 to make the tunnel actually work?
>
> Subnet behind box1: 192.168.238.0/24
> Subnet behind box2: 192.168.237.0/24
> Connectivity in both cases: eth0 points to internal net, ipsec0 (via
pppß
> which is DSL over eth1) is the tunnel.
> What do i put where in /etc/sysconfig/SuSEfirewall to make the tunnel
> work?
>
> bye,
>         MH
>
> --
> Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
> gegen §1
> UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O
201/98).
> Jede
> kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren
> Weitergabe an Dritte ist ausdrücklich untersagt!
>
> gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD
763C


< Previous Next >
This Thread
  • No further messages