[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSEfirewall2 & MS/VPN



Hello,

When you say:-

> 'You can put the M$ box behind
> a suse firewall if you have an official IP for the box, too. Then just
> close all exept the PPTP Port and the maschine is as safe as in your
> currently setup it would be (if it would work ;)'

Do you mean fixed IP address for the SuSEfirewall2 box or the MS VPN box? In 
fact, I have fixed IP addresses for both and they are both publicly 
available. So, if my fixed IP address for my MS VPN machine is 123.456.78.9 
then I should be able to forward packets like so,

FW_FORWARD="0/0,123.456.78.9,tcp,1723

What I'm trying to achieve is this

      Internet
           |
  Exterior router
           |
SuSEfirewall2 PC  ---- MS VPN box
           |
Internal network

as opposed to

              Internet
                  |
          Exterior router
        |                      |
SuSEfirewall <--> MS/VPN
        |
Internal network

At the moment the MS/VPN machine can be got to directly from the internet...

Rgds
Andy

On Saturday 26 July 2003 02:50, Sven 'Darkman' Michels wrote:
> Andy Bennett wrote:
> > Hi,
> >
> > Edit what package?
>
> TCP Datapacket, not a package like a rpm or so ;)
>
> > The Microsoft WIndows 2000 server is already running
> > pptp/vpn and working fine. All I'm trying to establish is whether it is
> > possible to place it behind the firewall and forward the VPN connection
> > to it so that the rest of the available ports/connections on the MS
> > WIndows 2000 server machine aren't visible, (i.e. vulnerable), to attack.
>
> i know what you're trying but AFAIK your setup isn't possible. Try to
> establish a PPTP connection from a client BEHIND a gateway to some
> VPN Server, without special modules it *WILL NOT* work. PPTP packets
> must be passed thru, not handled like normal, masqueraded, packets.
> If you reverse the setup, you'll see that DNAT is like masquerading
> and so PPTP won't work in your setup. You can put the M$ box behind
> a suse firewall if you have an official IP for the box, too. Then just
> close all exept the PPTP Port and the maschine is as safe as in your
> currently setup it would be (if it would work ;)
>
> > If, as has been stated, the forward rule simply does NAT on that
> > particular port, 1723, for that particular protocol, TCP,  that's all I
> > need isn't it?
>
> it isn't. As i said, afaik you cannot simply NAT PPTP Packets.
>
> > To be clear - I am talking about connections to a permantly connected
> > setup from outside - i.e. road warriors.
>
> I know ;)
>
> so, HTH and good night (sorry for typos.. it's nearly 4 am and i'm
> just back from a party %-)
>
> Sven


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here