Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
Re: [suse-security] VPN and SuSEfirewall2
  • From: engelbert.gruber@xxxxxxxxx
  • Date: Thu, 27 Apr 2006 14:53:45 +0200 (CEST)
  • Message-id: <Pine.LNX.4.64.0604271440300.6091@xxxxxxxxx>
On Thu, 27 Apr 2006, Ludwig Nussel wrote:

Jonathan Baxter wrote:
On Thursday 27 April 2006 16:42, Ludwig Nussel wrote:
Jonathan Baxter wrote:
But nothing works from left-to right; neither the SuSE router box
itself, nor

The router itself cannot reach the subnet on the other side if you
use it's external IP as source. You'd need a second tunnel for that.

I think I understand what you're getting at. If the external IP address is the
source address the packets won't get redirected down the tunnel, because the
tunnel's source is the internal network.


I have explicitly disabled NAT of packets between the two subnets by
adding the following line to the fw_custom_before_port_handling() section
of /etc/sysconfig/scripts/SuSEfirewall2-custom:

iptables -t nat -A POSTROUTING -o eth2 -s -d \! -j MASQUERADE

But if I do as Ludwig suggests and set FW_MASQ_NETS="0/0,!"
in /etc/sysconfig/SuSEfirewall2 then the firewall drops the packets from altogether - they never make it to the external interface on the
SuSE router at all. I get the following in /var/log/firewall:


So I guess the left->right packets are not making it down the tunnel, but I am
still confused as to why not.....

Me too. I wouldn't be surprised if it is a bug in SuSEfirewall2. You
are probably the first person that actually uses those features in a
real world setup :-)

we have firewalls with slackbased bootcd and use SFW2 and ipsec vpn running for more than a year now ::


no FW_FORWARD_ thing but simple route entries.

--- Engelbert Gruber -------+
SSG Fintl,Gruber,Lassnig /
A6170 Zirl Innweg 5b /
Tel. ++43-5238-93535 ---+

< Previous Next >