[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)

To: suse-security@xxxxxxxx
Subject: [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
From: Steffen Dettmer <steffen@xxxxxxx>
Date: Wed, 16 Jul 2003 18:17:01 +0200
Cc: Steffen Dettmer <steffen@xxxxxxx>, Torsten Dettmer <td@xxxxxxxxxxx>
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Wed, 16 Jul 2003 18:17:55 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <001c01c34ba2$8f598660$0c00a8c0@xxxxxxxx>; from danikostyal@xxxxxxx on Wed, Jul 16, 2003 at 04:57:52PM +0300
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <000501c34acd$66389080$2464a8c0@pc100036> <001c01c34ba2$8f598660$0c00a8c0@xxxxxxxx>
Reply-to: Steffen Dettmer <steffen@xxxxxxx>
User-agent: Mutt/1.2.5i

* Kostyal Daniel wrote on Wed, Jul 16, 2003 at 16:57 +0300:
> 1 Suse 8.0, 2 NIC's, freeswan VPN. All I want is to use the VPN, have acces
> from the remote network to the Samba service installed on the same computer,
> and to access ssh from anywhere. Nothing else. Thanx.

I have SuSE 8.2 as roadwarrior with freeswan + SuSEfirewall2.

The SuSEfirewall2 seems to make a lot of assumptions. It seems
you either live with it, or don't use it :-) for instance,
FW_SERVICE_AUTODETECT="yes" seems to work only if the services
are running locally (otherwise, I couldn't imagine how it should
work).

Please correct me if I'm wrong and give improved examples!

Setup: ipsec0 with 192.168.1.0/24 <-> 192.168.2.0/24. eth1
internal LAN.

1. if you allow something from ext, you have to allow it for
   everyone. set:
   FW_SERVICES_EXT_UDP="500"
   FW_SERVICES_EXT_IP="50 51"
   to allow everyone (!) to access ISAKMP and ESP/AH.

2. make ipsec0 an internal interface:
   FW_DEV_INT="eth1 ipsec0"

3. Try to make it working. I set
   FW_PROTECT_FROM_INTERNAL="no"
   FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24"
   (it seems to be assumed, that trusted networks are on the
   internal interfaces only, because it seems an explicit DROP
   rule is cerated on external interface)

4. FW_KERNEL_SECURITY="no"
   to disable "rp_filter" feature. It seems to be assumed that
   you either want many or none of the kernel security features.

5. Because I just have one external interface and no DMZ, I set:
   FW_ALLOW_CLASS_ROUTING="yes"
   I didn't found a FW_ALLOW_INTERNAL_ROUTING or
   FW_ALLOW_TRUSTED_ROUTING.

Finally, the portscan from external looks good so I can live with
it :-)

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Follow-Ups:
- Re: [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
  - From: Kostyal Daniel

References:
- Re: [suse-security] Problems with a simple Firewall2 config
  - From: GentooRulez
- [suse-security] Wanted: SuSEfirewall2 config
  - From: Kostyal Daniel

Prev by Date: Re: [suse-security] SCP-proxy / SFTP-proxy wanted
Next by Date: Re: [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
Previous by thread: [suse-security] Wanted: SuSEfirewall2 config
Next by thread: Re: [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
Index(es):
- Date
- Thread