[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] openvpn and SuSEfirewall



* Kaiser, Hans; <r_2@xxxxxx> on 23 Jul, 2004 wrote:
Well it can do the routing if you set the following to yes
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network
# interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_CLASS_ROUTING="no"

Hello,

thanks for the answers!
Are there any security concerns if setting FW_ALLOW_CLASS_ROUTING="yes" ?

Not that I see ( note that does not mean it does note exist) since it
only allows routing of the packets between the same class meaning if you
have two devices for FW_DEV_INT then the routing between these two is
allowed if you look at the script (around line 1595)

test "$FW_ALLOW_CLASS_ROUTING" = yes && {
   for DEV1 in $FW_DEV_INT; do
       for DEV2 in $FW_DEV_INT; do
           test "$DEV1" = "$DEV2" || {
               $LAA $IPTABLES -A forward_int -j LOG
${LOG}"-ACCEPT-CLASS "  -i $DEV1 -o $DEV2
               $IPTABLES -A forward_int -j "$ACCEPT" -i $DEV1 -o $DEV2
           }
       done

....

It checks for FW_DEV_DMZ and FW_DEV_EXT also to see if there are more
then one devices.
Your other alternative is to define FW_FORWARD where you can define
which ports are allowed to be forwarded to the other network.

Hope this helps
--
Togan Muftuoglu			     |   	
Unofficial SuSE FAQ Maintainer	     |	Please reply to the list;
http://susefaq.sf.net		     |	Please don't put me in TO/CC.

		Nisi defectum, haud refiecendum

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here