[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] openvpn and SuSEfirewall

To: <suse-security@xxxxxxxx>
Subject: [suse-security] openvpn and SuSEfirewall
From: "Kaiser, Hans" <r_2@xxxxxx>
Date: Thu, 22 Jul 2004 22:40:51 +0200
Delivered-to: mailing list suse-security@xxxxxxxx
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
Thread-index: AcRwLCyVxQZ8ME8aSrKVnM+J3+E3Ww==

Hallo list,

I'm using openvpn and SuSEfirewall. Oenvpn is running fine, but my routing
won't work.
My local network (eth0) is 192.168.1.0/24
My tunnel net    (tun1) is 192.168.2.0/24

So I'm trying to route the both nets, but I get for every protocol from the
SuSEfirewall:
SFW2-FWDint-DROP-DEFLT IN=tun1 OUT=eth0 SRC=192.168.2.1 DST=192.168.1.250
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF PROTO=ICMP TYPE=8 CODE=0 ID=2365
SEQ=3

Any Ideas, what is wrong?

My SuSEfirewall config:

My SuSEfirewall:
FW_QUICKMODE="no"
FW_DEV_EXT="ppp0"
FW_DEV_INT="eth0 tun1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="8890:8893 http https ssh"
FW_SERVICES_EXT_UDP="isakmp"
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP="esp"
FW_SERVICES_INT_RPC=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="yes"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_KERNEL_SECURITY="yes"
FW_ANTISPOOF="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="int"
FW_IGNORE_FW_BROADCAST="no"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV="ppp0,125"
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING="yes"
FW_IPSEC_TRUST="int"
FW_IPSEC_MARK=""
FW_LOG=""

My SuSEfirewall-custom:
fw_custom_before_masq() { 
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A INPUT -i tap+ -j ACCEPT
    iptables -A FORWARD -i tap+ -j ACCEPT

    true
}

Best regards,
Hans


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Follow-Ups:
- Re: [suse-security] openvpn and SuSEfirewall
  - From: suse
- Re: [suse-security] openvpn and SuSEfirewall
  - From: Andreas

Prev by Date: [suse-security] Limit Browser-Type
Next by Date: Re: [suse-security] Email Spoofing
Previous by thread: Re: [suse-security] Limit Browser-Type
Next by thread: Re: [suse-security] openvpn and SuSEfirewall
Index(es):
- Date
- Thread