OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jochen Staerk (jochen.staerk_at_empression.de)
Date: Tue Sep 17 2002 - 04:49:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi Michael,

    >>In case someone knows about the 8er 2.4 kernel-firewall2-config please
    >>answer as well we might be able to update this.
    >>
    >>
    >Hääää????
    >
    Translated: In case you knew how to configure Suse 8, i'll get Suse 8
    running on our firewall. ;)

    >>Do I need to apply a kernel patch?
    >>
    >>
    >
    >Yep, download as above. The extra rules comes here in SuSEfirewall 2
    >
    Okay, I used Suse 8 free s/wan since it was in a version that also way
    at the site you mentioned, and installed the free s/wan kernel module
    that Suse provides.

    >FW_DEV_IPSEC="ipsec0"
    >
    >
    Okay, the silly thing is that I don't have such an device in /dev/etc. I
    should probably check my free s/wan configuration?

    >http://www.suse.com/~marc/SuSEfirewall2-2.1.tar.gz
    >
    I checked that and it does seem to be the same 2.1-er-version that comes
    with Suse 8.

    Line 306 of the executable scans for FW_DEV_IPSEC, but does expect a
    "yes" instead of a device?
    echo " $FW_DEV_EXT $FW_DEV_DMZ $FW_DEV_INT " | grep -q ipsec &&
    FW_DEV_IPSEC=yes

    from line 537 it also tests for FW_DEV_IPSEC
     for i in /proc/sys/net/ipv4/conf/*; do
         echo 0 > $i/accept_redirects 2> /dev/null
         echo 0 > $i/accept_source_route 2> /dev/null
         test -z "$FW_DEV_IPSEC" && echo 1 > $i/rp_filter 2> /dev/null
         echo 0 > $i/mc_forwarding 2> /dev/null
     done

    As to your configuration, you write "extra rules", so I understand to
    append them. I just wanted to remark that there do not seem to be some
    kind of defaults for ipsec - rule 19 is about
    # 19.)
    # Allow (or don't) ICMP echo pings on either the firewall or the dmz from
    # the internet? The internet option is for allowing the DMZ and the internal
    # network to ping the internet.
    and Rule 20 is "Allow (or don't) ICMP time-to-live-exceeded to be send
    from your firewall."

    >Take a look at rule 21. Seems to be one answer on your questions!
    >
    >
    Actually it does, yes, and thanks.

    bye,
     Jochen 

    -- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here