[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSEfirewall2 & MS/VPN

To: Sven 'Darkman' Michels <sven@xxxxxxxxxx>, suse-security@xxxxxxxx
Subject: Re: [suse-security] SuSEfirewall2 & MS/VPN
From: Andy Bennett <andy@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 25 Jul 2003 20:35:07 +0100
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Sat, 26 Jul 2003 02:04:23 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <3F21658A.3090907@xxxxxxxxxx>
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <200307251545.13916.andy@xxxxxxxxxxxxxxxxxxxxx> <200307251839.26299.andy@xxxxxxxxxxxxxxxxxxxxx> <3F21658A.3090907@xxxxxxxxxx>
Reply-to: andy@xxxxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.4.3

Hi,

Edit what package? The Microsoft WIndows 2000 server is already running 
pptp/vpn and working fine. All I'm trying to establish is whether it is 
possible to place it behind the firewall and forward the VPN connection to it 
so that the rest of the available ports/connections on the MS WIndows 2000 
server machine aren't visible, (i.e. vulnerable), to attack.

If, as has been stated, the forward rule simply does NAT on that particular 
port, 1723, for that particular protocol, TCP,  that's all I need isn't it?

To be clear - I am talking about connections to a permantly connected setup 
from outside - i.e. road warriors.

TIA
Andy


On Friday 25 July 2003 18:14, Sven 'Darkman' Michels wrote:
> Andy Bennett wrote:
> > Hi,
> >
> > No. Briefly, I have come into the middle of a situation where a someone
> > else has set up a system for a friend of mine in such a way that his MS
> > VPN box is directly connected to the internet alongside his SuSEfirewall2
> > like this
> >
> >               Internet
> >
> >         Exterior router
> >
> > SuSEfirewall     MS/VPN
> >
> > My first thouht was that the guy had gone mad but then it occurred to me
> > that maybe he knows something I don't. In any event I thought I'd ask
> > here first.
> >
> > I thought it should be possible to simply put something like
> >
> > FW_FORWARD="0/0,192.168.1.2,tcp,1723
> >
> > as Jorn Ott suggested to forward connections directly to the MS VPN
> > machine and let it handle everything but, like I said, am I missing
> > something?
>
> As with ipsec etc. you cannot simply edit the packages (like NAT will
> do). So you cannot forward the connection i would guess. For your setup
> you will need to put the win maschine in Front of the firewall or setup
> the firewall itself as a PPTP Server (or if you need, as client). For
> PPTP from inside -> outside some masq modules exist (at least for Kernel
> 2.2.x, dunno if it's ported to 2.4 right now). Maybe such a masq modul
> would help for your forwarding problem, but i don't think so ;)
>
> HTH,
> Sven


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Follow-Ups:
- Re: [suse-security] SuSEfirewall2 & MS/VPN
  - From: Sven 'Darkman' Michels

References:
- [suse-security] SuSEfirewall2 & MS/VPN
  - From: Andy Bennett
- Re: [suse-security] SuSEfirewall2 & MS/VPN
  - From: Andy Bennett
- Re: [suse-security] SuSEfirewall2 & MS/VPN
  - From: Sven 'Darkman' Michels

Prev by Date: Re: [suse-security] SuSEfirewall2 & MS/VPN
Next by Date: [suse-security] SuSEfirewall2 not logging dropped packets
Previous by thread: Re: [suse-security] SuSEfirewall2 & MS/VPN
Next by thread: Re: [suse-security] SuSEfirewall2 & MS/VPN
Index(es):
- Date
- Thread