[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] openvpn and SuSEfirewall



Hello Hans,

I dont know openvpn, but with FreeSwan i had the same troubles.

To get an working Tunnel i have modifyed SuSEfirewall-custom:
iptables -A INPUT -j ACCEPT -d 192.168.1.0/24
iptables -A OUTPUT -j ACCEPT -d 192.168.2.0/24

and the SuSEfirewall:

FW_FORWARD="192.168.1.0/24,192.168.2.0/24 192.168.2.0/24,192.168.1.0/24 
a.a.a.a/32,192.168.1.0/24 a.a.a.a/32,b.b.b.b/32 192.168.1.0/24,a.a.a.a/32"

(a.a.a.a Gateway1 b.b.b.b Gateway2).

try it.

best regards.

Am Donnerstag, 22. Juli 2004 22:40 schrieb Kaiser, Hans:
> Hallo list,
>
> I'm using openvpn and SuSEfirewall. Oenvpn is running fine, but my routing
> won't work.
> My local network (eth0) is 192.168.1.0/24
> My tunnel net    (tun1) is 192.168.2.0/24
>
> So I'm trying to route the both nets, but I get for every protocol from the
> SuSEfirewall:
> SFW2-FWDint-DROP-DEFLT IN=tun1 OUT=eth0 SRC=192.168.2.1 DST=192.168.1.250
> LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF PROTO=ICMP TYPE=8 CODE=0 ID=2365
> SEQ=3
>
> Any Ideas, what is wrong?
>
> My SuSEfirewall config:
>
> My SuSEfirewall:
> FW_QUICKMODE="no"
> FW_DEV_EXT="ppp0"
> FW_DEV_INT="eth0 tun1"
> FW_DEV_DMZ=""
> FW_ROUTE="yes"
> FW_MASQUERADE="yes"
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS="0/0"
> FW_PROTECT_FROM_INTERNAL="no"
> FW_AUTOPROTECT_SERVICES="yes"
> FW_SERVICES_EXT_TCP="8890:8893 http https ssh"
> FW_SERVICES_EXT_UDP="isakmp"
> FW_SERVICES_EXT_IP=""
> FW_SERVICES_EXT_RPC=""
> FW_SERVICES_DMZ_TCP=""
> FW_SERVICES_DMZ_UDP=""
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_DMZ_RPC=""
> FW_SERVICES_INT_TCP=""
> FW_SERVICES_INT_UDP=""
> FW_SERVICES_INT_IP="esp"
> FW_SERVICES_INT_RPC=""
> FW_SERVICES_QUICK_TCP=""
> FW_SERVICES_QUICK_UDP=""
> FW_SERVICES_QUICK_IP=""
> FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24"
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
> FW_SERVICE_AUTODETECT="yes"
> FW_SERVICE_DNS="no"
> FW_SERVICE_DHCLIENT="no"
> FW_SERVICE_DHCPD="yes"
> FW_SERVICE_SQUID="no"
> FW_SERVICE_SAMBA="yes"
> FW_FORWARD=""
> FW_FORWARD_MASQ=""
> FW_REDIRECT=""
> FW_LOG_DROP_CRIT="yes"
> FW_LOG_DROP_ALL="no"
> FW_LOG_ACCEPT_CRIT="yes"
> FW_LOG_ACCEPT_ALL="no"
> FW_KERNEL_SECURITY="yes"
> FW_ANTISPOOF="no"
> FW_STOP_KEEP_ROUTING_STATE="no"
> FW_ALLOW_PING_FW="yes"
> FW_ALLOW_PING_DMZ="no"
> FW_ALLOW_PING_EXT="no"
> FW_ALLOW_FW_TRACEROUTE="yes"
> FW_ALLOW_FW_SOURCEQUENCH="yes"
> FW_ALLOW_FW_BROADCAST="int"
> FW_IGNORE_FW_BROADCAST="no"
> FW_ALLOW_CLASS_ROUTING="no"
> FW_CUSTOMRULES=""
> FW_REJECT="no"
> FW_HTB_TUNE_DEV="ppp0,125"
> FW_IPv6=""
> FW_IPv6_REJECT_OUTGOING="yes"
> FW_IPSEC_TRUST="int"
> FW_IPSEC_MARK=""
> FW_LOG=""
>
> My SuSEfirewall-custom:
> fw_custom_before_masq() {
>     iptables -A INPUT -i tun+ -j ACCEPT
>     iptables -A FORWARD -i tun+ -j ACCEPT
>     iptables -A INPUT -i tap+ -j ACCEPT
>     iptables -A FORWARD -i tap+ -j ACCEPT
>
>     true
> }
>
> Best regards,
> Hans

-- 
Mit freundlichen Gruessen
        Andreas


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here