Mailinglist Archive: opensuse-security (20 mails)

< Previous Next >
[opensuse-security] forwarding tun broadcasts with SuSEfirewall2
  • From: "Hans-Peter Jansen" <hpj@xxxxxxxxx>
  • Date: Tue, 23 Feb 2010 16:58:14 +0100
  • Message-id: <201002231658.16013.hpj@xxxxxxxxx>
Hi,

hopefully, I'm allowed to ask for issues concerning tun devices from openvpn
combined with SuSEfirewall2.

I'm trying to connect two cups servers via openvpn. For some reasons (old
firewalls), I want to keep the tun devices, rather then adding tap devices
because of the necessary bridging, which is missing the infrastructure in
the firewalls.

If I'm not mistaken, it should be possible to forward UDP broadcasts via tun
devices. In fact, I'm able to watch the broadcasts flying by in both
directions, if I tcpdump the tun device, but for some reason, they're not
appearing on the internal eth port, alas they are not forwarded into the
local LAN, although I added tun0 to the internal devices, allowed
broadcasts, cross forwarded the nets to each other, and added the usual
openvpn tun device quirk to scripts/SuSEfirewall2-custom:

FW_DEV_EXT="eth0"
FW_DEV_INT="tun0 eth1"

FW_FORWARD="172.16.23.0/24,172.16.24.0/24 172.16.24.0/24,172.16.23.0/24"

FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="yes"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="yes"

scripts/SuSEfirewall2-custom:
fw_custom_after_antispoofing() {
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
}

Of course, other services do run fine on this vpn including nfs.

What am I missing here?

I experimented with sticking the iptables commands into the other hooks, and
also added these:
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

but obviously my iptables fu is lacking... On google, I couldn't find any
more appealing ideas...

Is somebody listening here, and is able and willing to rescue me from this
silly issue, I would be very grateful.

Thanks,
Pete
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups