[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)

To: Kostyal Daniel <danikostyal@xxxxxxx>
Subject: Re: [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
From: Steffen Dettmer <steffen@xxxxxxx>
Date: Wed, 16 Jul 2003 21:43:08 +0200
Cc: suse-security@xxxxxxxx
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Wed, 16 Jul 2003 21:48:26 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <000701c34bb8$2bbd5580$0c00a8c0@xxxxxxxx>; from danikostyal@xxxxxxx on Wed, Jul 16, 2003 at 07:34:46PM +0300
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <000501c34acd$66389080$2464a8c0@pc100036> <001c01c34ba2$8f598660$0c00a8c0@xxxxxxxx> <20030716181701.A2796@xxxxxxxxx> <000701c34bb8$2bbd5580$0c00a8c0@xxxxxxxx>
Reply-to: Steffen Dettmer <steffen@xxxxxxx>
User-agent: Mutt/1.2.5i

* Kostyal Daniel wrote on Wed, Jul 16, 2003 at 19:34 +0300:
> Thank you very much.
> You were right. The problem was that the ipsec0 interface was in FW_DEV_EXT,
> not in FW_DEV_INT.

I do not know if this is right for you also. In my case, there is
exactly one trusted VPN peer. I don't want to filter anything
between all the LANs, so for me it is right :-)

> I put it there because the SuSEfirewall2 manual says:
> "Also, you need to add ipsec0 to the FW_DEV_EXT variable".
> Will this be a security issue???????

Well, I must admit that I do not understand SuSEfirewall2. I just
saw some EXT/DMZ/INT structure. I do not know if EXT/EXT/INT/INT
or more complex topologies are supported, well, I doubt that for
a desktop linux system such things are neccesary - a own script
should be needed anyway.

Well, for 2.0.x and 2.2.x I had an own script. Beside controlling
of some general features such as rp_filter and friends, it's
configuration file consists of "rules", basically in the form:

#DHCP
input:     any:68          any:67               udp   ACCEPT -i eth0
#NTP (dont try this @home :-))
input:     ntps2-0:123     any:123              udp   ACCEPT
input:     ntps2-1:123     any:123              udp   ACCEPT
input:     ntps2-2:123     any:123              udp   ACCEPT
#some other LAN
forward: 192.168.9.0/24    192.168.101.0/24     all   ACCEPT -b

and so on. I cannot imagine how this can be easily abstracted
except with ACL-style things. Well, and for the guys that have
multiple cascaded firewalls, as companies, they can buy a
Firewall-on-cd licence for it (don't know, if you need a licence
for every firewall, this can get expensive). I guess it is
supported to configure end-to-end connections, the some tool
calculates which firewalls need which rules, but I don't know. I
had never the time to look at the firewall on cd and I read not
so many things about that here.

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

References:
- Re: [suse-security] Problems with a simple Firewall2 config
  - From: GentooRulez
- [suse-security] Wanted: SuSEfirewall2 config
  - From: Kostyal Daniel
- [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
  - From: Steffen Dettmer
- Re: [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
  - From: Kostyal Daniel

Prev by Date: RE: [suse-security] SCP-proxy / SFTP-proxy wanted
Next by Date: Re: [suse-security] SCP-proxy / SFTP-proxy wanted
Previous by thread: Re: [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
Next by thread: RE: [suse-security] Problems with a simple Firewall2 config
Index(es):
- Date
- Thread