[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] freeswan, VPN, firewall, roadwarrior setup (was: Re: [suse-security] Wanted: SuSEfirewall2 config)
* Kostyal Daniel wrote on Wed, Jul 16, 2003 at 19:34 +0300:
> Thank you very much.
> You were right. The problem was that the ipsec0 interface was in FW_DEV_EXT,
> not in FW_DEV_INT.
I do not know if this is right for you also. In my case, there is
exactly one trusted VPN peer. I don't want to filter anything
between all the LANs, so for me it is right :-)
> I put it there because the SuSEfirewall2 manual says:
> "Also, you need to add ipsec0 to the FW_DEV_EXT variable".
> Will this be a security issue???????
Well, I must admit that I do not understand SuSEfirewall2. I just
saw some EXT/DMZ/INT structure. I do not know if EXT/EXT/INT/INT
or more complex topologies are supported, well, I doubt that for
a desktop linux system such things are neccesary - a own script
should be needed anyway.
Well, for 2.0.x and 2.2.x I had an own script. Beside controlling
of some general features such as rp_filter and friends, it's
configuration file consists of "rules", basically in the form:
input: any:68 any:67 udp ACCEPT -i eth0
#NTP (dont try this @home :-))
input: ntps2-0:123 any:123 udp ACCEPT
input: ntps2-1:123 any:123 udp ACCEPT
input: ntps2-2:123 any:123 udp ACCEPT
#some other LAN
forward: 192.168.9.0/24 192.168.101.0/24 all ACCEPT -b
and so on. I cannot imagine how this can be easily abstracted
except with ACL-style things. Well, and for the guys that have
multiple cascaded firewalls, as companies, they can buy a
Firewall-on-cd licence for it (don't know, if you need a licence
for every firewall, this can get expensive). I guess it is
supported to configure end-to-end connections, the some tool
calculates which firewalls need which rules, but I don't know. I
had never the time to look at the firewall on cd and I read not
so many things about that here.
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here