Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
Re: [suse-security] VPN and SuSEfirewall2
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Thu, 27 Apr 2006 11:41:48 +0200
  • Message-id: <20060427094148.GA20733@xxxxxxx>
Jonathan Baxter wrote:
> On Thursday 27 April 2006 16:42, Ludwig Nussel wrote:
> > Jonathan Baxter wrote:
> > > [...]
> > > But nothing works from left-to right; neither the SuSE router box
> > > itself, nor
> >
> > The router itself cannot reach the subnet on the other side if you
> > use it's external IP as source. You'd need a second tunnel for that.
>
> I think I understand what you're getting at. If the external IP address is the
> source address the packets won't get redirected down the tunnel, because the
> tunnel's source is the internal network.

Exactly.

> [...]
> > > I have explicitly disabled NAT of packets between the two subnets by
> > > adding the following line to the fw_custom_before_port_handling() section
> > > of /etc/sysconfig/scripts/SuSEfirewall2-custom:
> > >
> > > iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d \!
> > > 192.168.200.0/24 -j MASQUERADE
> >
>
> But if I do as Ludwig suggests and set FW_MASQ_NETS="0/0,!192.168.200.0/24"
> in /etc/sysconfig/SuSEfirewall2 then the firewall drops the packets from
> 192.168.1.2 altogether - they never make it to the external interface on the
> SuSE router at all. I get the following in /var/log/firewall:
>
> SFW2-FWDint-DROP-DEFLT IN=eth1 OUT=eth2 SRC=192.168.1.2 DST=192.168.200.2
>
> So I guess the left->right packets are not making it down the tunnel, but I am
> still confused as to why not.....

Me too. I wouldn't be surprised if it is a bug in SuSEfirewall2. You
are probably the first person that actually uses those features in a
real world setup :-) Please send me your
/etc/sysconfig/SuSEfirewall2 and the output of "SuSEfirewall2
status".

cu
Ludwig

--
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
V_/_ http://www.suse.de/

< Previous Next >
Follow Ups