Re: [suse-security] openvpn and SuSEfirewall

[Togan Muftuoglu <toganm@xxxxxxxxxxxxxxxxxxxxx>]

* Kaiser, Hans; <r_2@xxxxxx> on 23 Jul, 2004 wrote:
> > Well it can do the routing if you set the following to yes
> > # Do you want to allow routing between interfaces of the same class
> > # (e.g. between all internet interfaces, or all internal network
> > # interfaces)
> > # be default (so without the need setting up FW_FORWARD definitions)?
> > #
> > # Choice: "yes" or "no", defaults to "no"
> > #
> > FW_ALLOW_CLASS_ROUTING="no"
>
> Hello,
>
> thanks for the answers!
> Are there any security concerns if setting FW_ALLOW_CLASS_ROUTING="yes" ?

Not that I see ( note that does not mean it does note exist) since it
only allows routing of the packets between the same class meaning if you
have two devices for FW_DEV_INT then the routing between these two is
allowed if you look at the script (around line 1595)

test "$FW_ALLOW_CLASS_ROUTING" = yes && {
   for DEV1 in $FW_DEV_INT; do
       for DEV2 in $FW_DEV_INT; do
           test "$DEV1" = "$DEV2" || {
               $LAA $IPTABLES -A forward_int -j LOG
${LOG}"-ACCEPT-CLASS "  -i $DEV1 -o $DEV2
               $IPTABLES -A forward_int -j "$ACCEPT" -i $DEV1 -o $DEV2
           }
       done

....

It checks for FW_DEV_DMZ and FW_DEV_EXT also to see if there are more
then one devices. 

Your other alternative is to define FW_FORWARD where you can define
which ports are allowed to be forwarded to the other network.

Hope this helps 

--
Togan Muftuoglu			     |   	
Unofficial SuSE FAQ Maintainer	     |	Please reply to the list;
http://susefaq.sf.net		     |	Please don't put me in TO/CC.

		Nisi defectum, haud refiecendum

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here