[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)



* Kostyal Daniel wrote on Wed, Jul 16, 2003 at 16:57 +0300:
> 1 Suse 8.0, 2 NIC's, freeswan VPN. All I want is to use the VPN, have acces
> from the remote network to the Samba service installed on the same computer,
> and to access ssh from anywhere. Nothing else. Thanx.

I have SuSE 8.2 as roadwarrior with freeswan + SuSEfirewall2.

The SuSEfirewall2 seems to make a lot of assumptions. It seems
you either live with it, or don't use it :-) for instance,
FW_SERVICE_AUTODETECT="yes" seems to work only if the services
are running locally (otherwise, I couldn't imagine how it should
work).

Please correct me if I'm wrong and give improved examples!

Setup: ipsec0 with 192.168.1.0/24 <-> 192.168.2.0/24. eth1
internal LAN.

1. if you allow something from ext, you have to allow it for
   everyone. set:
   FW_SERVICES_EXT_UDP="500"
   FW_SERVICES_EXT_IP="50 51"
   to allow everyone (!) to access ISAKMP and ESP/AH.

2. make ipsec0 an internal interface:
   FW_DEV_INT="eth1 ipsec0"

3. Try to make it working. I set
   FW_PROTECT_FROM_INTERNAL="no"
   FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24"
   (it seems to be assumed, that trusted networks are on the
   internal interfaces only, because it seems an explicit DROP
   rule is cerated on external interface)

4. FW_KERNEL_SECURITY="no"
   to disable "rp_filter" feature. It seems to be assumed that
   you either want many or none of the kernel security features.

5. Because I just have one external interface and no DMZ, I set:
   FW_ALLOW_CLASS_ROUTING="yes"
   I didn't found a FW_ALLOW_INTERNAL_ROUTING or
   FW_ALLOW_TRUSTED_ROUTING.

Finally, the portscan from external looks good so I can live with
it :-)

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here