Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] VPN and SuSEfirewall2
From: Ludwig Nussel (ludwig.nusselsuse.de)
Date: Thu Apr 27 2006 - 04:41:48 CDT
Jonathan Baxter wrote:
> On Thursday 27 April 2006 16:42, Ludwig Nussel wrote:
> > Jonathan Baxter wrote:
> > > [...]
> > > But nothing works from left-to right; neither the SuSE router box
> > > itself, nor
> > The router itself cannot reach the subnet on the other side if you
> > use it's external IP as source. You'd need a second tunnel for that.
> I think I understand what you're getting at. If the external IP address is the
> source address the packets won't get redirected down the tunnel, because the
> tunnel's source is the internal network.
> > > I have explicitly disabled NAT of packets between the two subnets by
> > > adding the following line to the fw_custom_before_port_handling() section
> > > of /etc/sysconfig/scripts/SuSEfirewall2-custom:
> > >
> > > iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d \!
> > > 192.168.200.0/24 -j MASQUERADE
> But if I do as Ludwig suggests and set FW_MASQ_NETS="0/0,!192.168.200.0/24"
> in /etc/sysconfig/SuSEfirewall2 then the firewall drops the packets from
> 192.168.1.2 altogether - they never make it to the external interface on the
> SuSE router at all. I get the following in /var/log/firewall:
> SFW2-FWDint-DROP-DEFLT IN=eth1 OUT=eth2 SRC=192.168.1.2 DST=192.168.200.2
> So I guess the left->right packets are not making it down the tunnel, but I am
> still confused as to why not.....
Me too. I wouldn't be surprised if it is a bug in SuSEfirewall2. You
are probably the first person that actually uses those features in a
real world setup :-) Please send me your
/etc/sysconfig/SuSEfirewall2 and the output of "SuSEfirewall2
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here