[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSE Firewall 2 and PPTP connections



Vieri Di Paola wrote:
Hi,

I'm running SuSE 9.0 with SuSEfirewall2 and poptop.
I'm trying to connect from a Windows PPTP client to
the Linux box. Connection succeeds (chap
authentication ok). However, once connected, I can't
PING to any remote host (neither the Linux server nor
the PCs behind it, on the remote LAN).

I noticed that if I bring SuSEfirewall2 down and I
repeat the latter operation, my Windows client can
ping the Linux server just fine, but won't ping the
hosts behind it probably because forwarding is
disabled (? - not really an expert in this).
So I guess my problem is that I missed something in
the SuSEfirewall2 configuration. Here are my settings:
Linux server eth0 has public WAN IP, eth1 has private
IP 192.168.1.92.
Eth1 links to a switch to which the remote LAN's PCs
are connected (all are within the 192.168.1.0 range).
Server-side connectivity is OK (I can ping to LAN PCs
from within 192.168.1.92).

Yast configuration is as follows:
* IP forwarding enabled
* susefirewall2 config file:
FW_QUICKMODE="no"
FW_DEV_EXT="eth0 ppp0"
FW_DEV_INT="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="pptp http https 137"
FW_SERVICES_EXT_UDP="137 500"
FW_SERVICES_EXT_IP="gre icmp 50 51"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="137"
FW_SERVICES_INT_UDP="137"
FW_SERVICES_INT_IP="gre icmp"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options
--log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="yes"

From Window client I can connect and a fixed IP is
assigned: 192.168.1.101.
If I try to ping the remote 192.168.1.92 Linux server
(for example; or any other PC on the remote LAN) and I
check the Linux server's SYSLOG messages, I get:

kernel: SUSE-FW-DROP-ANTI-SPOOF IN=ppp0 OUT=eth1
SRC=192.168.1.101 DST=192.168.1.92 LEN=78 TTL=127
PROTO=UDP SPT=137 DTP=137 LEN=58

So, pinging the Linux server or any host behind it
(192.168.1.xxx)from the Windows client doesn't give
any response.

forward tcp 1723 and protocol 47

susefirewall2 rules
FW_DEV_EXT="eth-id-00:0c:76:44:e0:48 ppp0"
FW_SERVICES_EXT_TCP="pptp"
FW_SERVICES_EXT_IP="gre"


Greetz

Ray

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here