Mailinglist Archive: opensuse-security (20 mails)

< Previous Next >
Re: [opensuse-security] forwarding tun broadcasts with SuSEfirewall2
  • From: "Hans-Peter Jansen" <hpj@xxxxxxxxx>
  • Date: Fri, 26 Feb 2010 00:22:52 +0100
  • Message-id: <201002260022.52239.hpj@xxxxxxxxx>
On Wednesday 24 February 2010, 08:54:22 Ludwig Nussel wrote:
Hans-Peter Jansen wrote:
If I'm not mistaken, it should be possible to forward UDP broadcasts
via tun devices.

Broadcasts are not fowarded in general as broadcasts are meant for
the local subnet. You need to use bridging if you want multiple
networks to appear as one.
Alternatively, for relaying cups broadcasts only, cupsd.conf has a
BrowseRelay parameter according to the manpage. Maybe that's what
you are looking for.

Hey, how could I miss that one. Indeed, that solved this perfectly.

Many thanks, Ludwig.

Another alternative might be to use DNS service discovery instead of
the custom cups broadcasts.

local LAN, although I added tun0 to the internal devices, allowed
broadcasts, cross forwarded the nets to each other, and added the usual
openvpn tun device quirk to scripts/SuSEfirewall2-custom:
[...]
FW_DEV_INT="tun0 eth1"
[...]
scripts/SuSEfirewall2-custom:
fw_custom_after_antispoofing() {
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
}

What do you mean by 'usual quirk'? I've never heard about that.
You've set tun0 as internal so the above custom rules are not
needed.

http://openvpn.net/index.php/open-source/faq.html#firewall

And by mangling the custom script back and forth, I scrambled it.
Here's the correct, but obviously obsolete version:

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

Since I use this for more than seven years now, such contructs survive for
no good reason sometimes..

Before you start understanding things, everything is Whoodoo anyway.

Thanks for clarification.

Yours,
Pete
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
List Navigation