[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSE Firewall 2 and PPTP connections



Quoting Vieri Di Paola <vieridipaola@xxxxxxxxx>:

> Hi,
> 
> I'm running SuSE 9.0 with SuSEfirewall2 and poptop.
> I'm trying to connect from a Windows PPTP client to
> the Linux box. Connection succeeds (chap
> authentication ok). However, once connected, I can't
> PING to any remote host (neither the Linux server nor
> the PCs behind it, on the remote LAN).
> 
> I noticed that if I bring SuSEfirewall2 down and I
> repeat the latter operation, my Windows client can
> ping the Linux server just fine, but won't ping the
> hosts behind it probably because forwarding is
> disabled (? - not really an expert in this). 
> 
> So I guess my problem is that I missed something in
> the SuSEfirewall2 configuration. Here are my settings:
> Linux server eth0 has public WAN IP, eth1 has private
> IP 192.168.1.92.
> Eth1 links to a switch to which the remote LAN's PCs
> are connected (all are within the 192.168.1.0 range).
> Server-side connectivity is OK (I can ping to LAN PCs
> from within 192.168.1.92).
> 
> Yast configuration is as follows:
> * IP forwarding enabled
> * susefirewall2 config file:
> FW_QUICKMODE="no"
> FW_DEV_EXT="eth0 ppp0"
> FW_DEV_INT="eth1"
> FW_ROUTE="yes"
> FW_MASQUERADE="yes"
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS="0/0"
> FW_PROTECT_FROM_INTERNAL="no"
> FW_AUTOPROTECT_SERVICES="no"
> FW_SERVICES_EXT_TCP="pptp http https 137"
> FW_SERVICES_EXT_UDP="137 500"
> FW_SERVICES_EXT_IP="gre icmp 50 51"
> FW_SERVICES_DMZ_TCP=""
> FW_SERVICES_DMZ_UDP=""
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_INT_TCP="137"
> FW_SERVICES_INT_UDP="137"
> FW_SERVICES_INT_IP="gre icmp"
> FW_SERVICES_QUICK_TCP=""
> FW_SERVICES_QUICK_UDP=""
> FW_SERVICES_QUICK_IP=""
> FW_TRUSTED_NETS=""
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
> FW_SERVICE_AUTODETECT="yes"
> FW_SERVICE_DNS="no"
> FW_SERVICE_DHCLIENT="no"
> FW_SERVICE_DHCPD="no"
> FW_SERVICE_SQUID="no"
> FW_SERVICE_SAMBA="no"
> FW_FORWARD=""
> FW_FORWARD_MASQ=""
> FW_REDIRECT=""
> FW_LOG_DROP_CRIT="yes"
> FW_LOG_DROP_ALL="no"
> FW_LOG_ACCEPT_CRIT="yes"
> FW_LOG_ACCEPT_ALL="no"
> FW_LOG="--log-level warning --log-tcp-options
> --log-ip-option --log-prefix SuSE-FW"
> FW_KERNEL_SECURITY="no"
> FW_STOP_KEEP_ROUTING_STATE="no"
> FW_ALLOW_PING_FW="yes"
> FW_ALLOW_PING_DMZ="yes"
> FW_ALLOW_PING_EXT="yes"
> 
> From Window client I can connect and a fixed IP is
> assigned: 192.168.1.101.

Assign the both ends of ppp link ip addresses in another subnet (192.168.2.0/24.
This make the routing easier.
You also needs to add rules in FW_FORWARD for the traffic you want between LAN
and VPN.
I think you dont need to NAT on ppp0?

> If I try to ping the remote 192.168.1.92 Linux server
> (for example; or any other PC on the remote LAN) and I
> check the Linux server's SYSLOG messages, I get:
> 
> kernel: SUSE-FW-DROP-ANTI-SPOOF IN=ppp0 OUT=eth1
> SRC=192.168.1.101 DST=192.168.1.92 LEN=78 TTL=127
> PROTO=UDP SPT=137 DTP=137 LEN=58
> 
> So, pinging the Linux server or any host behind it
> (192.168.1.xxx)from the Windows client doesn't give
> any response.
> 
> Any suggestions?
> 
> Regards,
> 
> Vieri
> 
> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
> 
> 




----------------------------------------------------------
Ahora Montevideo COMM te da ADSL desde $ 690 IVA incluido
Que vas a instalar?
Solicita info en mailto:adsl3060@xxxxxxxxxxxxxxxxx


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here