RE: [pmfirewall] ===>>> Please help with this configuration

From: naji@home.com_stop_spam.com
Date: Thu Apr 13 2000 - 02:18:23 PDT

• Next message: Rick Johnson: "[pmfirewall] dns, private networks and pmfirewall"
• Previous message: Mark Swarbrick: "Re: [pmfirewall] Stop the Logging - How?"
• In reply to: Mark Dalton: "Re: [pmfirewall] ===>>> Please help with this configuration"

Here is where I am thus far:
I am running Mandrake 6.2.13. Mandrake is a variant of RedHat.
I have looked at http://www.freshmeat.net for VPN and have found the
following link:
ftp://kanon.net/pub/jhardin/masquerade/ip_masq_vpn.html#HOWTO
In this link, John Hardin states that we need to patch RedHat with two
different patches
in order to the kernel to be able to do VPN Masquerade. I have downloaded
the patches but given that I have never patched a system before, I have not
been able to apply the patches...

Also, at http://www.ox.compsoc.org.uk/~steve/portforwarding.html, there is a
discussion about port forwarding. In it, the author states that in order to
do port forwarding on a kernel 2.0.*, no need for patches. I take it that
these two authors are talking about radically different things...

Needless to say, I find this confusing and difficult but I trust that it
will be rewarding in the end.
Here are the questions that I have as I am trying to piece together a
general strategy to get what I want:

1. Do I need to patch the kernel with Hardin's patches?
1.b If so, what is the proper syntax for the patch
    command?
2. Do I need to use ipmasqadm to administer port forwarding?
2.b If so, do I have to issue a series of command line ipmasqadm portfw
commands to get the system to
    forward ports?
2.c Do I have to place those commands in a startup file similar to what we
do with pmfirewall?
3. Once (and if) these changes are made, do I then have to enable the ports
as Mark wrote below?

VPN_SERVER=[VPN Server IP address]
   $IPCHAINS -A input -p tcp -s $VPN_SERVER -d $REMOTENET 50 -i $OUTERIF -j
ACCEPT
   $IPCHAINS -A input -p udp -s $VPN_SERVER -d $REMOTENET 50 -i $OUTERIF -j
ACCEPT
   $IPCHAINS -A input -p tcp -s $VPN_SERVER -d $REMOTENET 51 -i $OUTERIF -j
ACCEPT
   $IPCHAINS -A input -p udp -s $VPN_SERVER -d $REMOTENET 51 -i $OUTERIF -j
ACCEPT
   $IPCHAINS -A input -p udp -s $VPN_SERVER -d $REMOTENET 500 -i $OUTERIF -j
ACCEPT

Any help is once more appreciated.

-----Original Message-----
From: Mark Dalton [mailto:mwd@sgi.com]
Sent: Wednesday, April 12, 2000 2:44 PM
To: pmfirewall@pointman.org
Subject: Re: [pmfirewall] ===>>> Please help with this configuration

There are probably a couple of posibilities. You are using IP Masquerading.

Some of the VPN solutions you have a '-n' option which is NAT (Network
Address
Translation flag), which I believe tries to go over port 80.

The port 500 is udp
The ports 50 & 51 should be both (udp and tcp).

My guess is it should end up something like this for a conservative site.

VPN_SERVER=[VPN Server IP address]
   $IPCHAINS -A input -p tcp -s $VPN_SERVER -d $REMOTENET 50 -i $OUTERIF -j
ACCEPT
   $IPCHAINS -A input -p udp -s $VPN_SERVER -d $REMOTENET 50 -i $OUTERIF -j
ACCEPT
   $IPCHAINS -A input -p tcp -s $VPN_SERVER -d $REMOTENET 51 -i $OUTERIF -j
ACCEPT
   $IPCHAINS -A input -p udp -s $VPN_SERVER -d $REMOTENET 51 -i $OUTERIF -j
ACCEPT
   $IPCHAINS -A input -p udp -s $VPN_SERVER -d $REMOTENET 500 -i $OUTERIF -j
ACCEPT

Or for the more liberal..
   $IPCHAINS -A input -i eth0 -s $VPN_SERVER -d 0/0 -j ACCEPT
   $IPCHAINS -A output -i eth0 -s 0/0 -d $VPN_SERVER -j ACCEPT
   $IPCHAINS -A input -i eth1 -s $VPN_SERVER -d 0/0 -j ACCEPT
   $IPCHAINS -A output -i eth1 -s 0/0 -d $VPN_SERVER -j ACCEPT

I need to think about it more, but perhaps this will get some ideas started.

I did not need to tweak the 'kernel', but we are using:
        VPN from compatable systems (now owned by Cisco)
        Which does have its own module that is loaded into the kernel.

Which VPN solution are you using?
        - Some proprietary version?
        - The open linux solutions?

Also this is assuming that you do not have another firewall between you and
the server (besides the firewalls you control), some ISPs have their own
firewall (which I ran into for one of my home ISPs).

Mark

>
> I am using a tunneling software to access my company's intranet from my
> home's network. I am running ipchains configured with pmfirewall (1.1.2)
and
> all access will take place from an NT machine on my home's network.
>
> Specifically, assume that
> -The NT machine is (right now) at IP 198.162.1.2
> -The server running linux has two nics: eth1 is at say 111.111.111.111
> and eth1 at 192.168.1.1.
> -The NT machine gets its IP via dhcpd on the 198.162.1 segment and
> finally,
> -The gateway to my company's intranet is at fixed IP address, say
> 555.555.555.555
>
> The tunneling software needs:
> 1. port UDP 500 not be redirected
> 2. IPSEC Type 50 and 51 not be filtered. Note that IPSEC Type 50 and 51
> are also known as AAgent ESP
> (at least that's what I have been told)
>
> Given the above details, I suspect I need to add to pmfirewall.
>
> $IPCHAINS -A input -s 555.555.555.555 -d $OUTERNET 500 -j ACCEPT
> to allow the 555.555.555.555 machine to talk to my network, but
>
> 1. how do I make sure that the packets are not redirected, and
> 2. how do I configure pmfirewall to all those IPSEC ports without
filtering
> them?
>
> Thanks for any help you may have on this.
>
> Naji.
>
>
>
>
****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe
pmfirewall"
> * in the message body to majordomo@pointman.org. Please direct other
> * questions, comments, or problems to pmfirewall-owner@pointman.org.
>

--
Mark Dalton       CH3-S-CH2 H                      H      O       H
Cray Research (SGI)     |   |                      |       \      |
Eagan, MN 55121         CH2-C-COO    //\ ---C--CH2-C-COO    C-CH2-C-COO
mwd@sgi.com                 |       |  ||   ||     |       //     |
                            NH3      \\/ \ / CH    NH3    O       NH3
                                          NH
My home page: http://www.cbc.umn.edu/~mwd/mwd.html
Cell Biology: http://www.cbc.umn.edu/~mwd/cell.html
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.

• Next message: Rick Johnson: "[pmfirewall] dns, private networks and pmfirewall"
• Previous message: Mark Swarbrick: "Re: [pmfirewall] Stop the Logging - How?"
• In reply to: Mark Dalton: "Re: [pmfirewall] ===>>> Please help with this configuration"

This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:34:29 PDT