Charles:
I'm running Eigerstein. I want to switch over to Dachstein at some point.
I want to have a firewall that Masquerades public IPS but does not Masquerade
IPSec (VPN).
I thought this couldn't be done based on previous postings.
This posting implies (I think) that the restrictionis apply only within IPSec
(VPN).
Is this true?
192.168.2.0\24 -- LRP -- Pub IPs ------- Pub IPs - LRP - 192.168.3.0\24
Pub IPs - LRP - 192.168.4.0\24
Can Dachstein route between the 192.168.*.* and masquerade for everything else?
I actually want to have four separate sites use LRP, all having VPN access
to/from 192.168.2.0\24. Two sites also need to provide server port forwarding.
Thanks,
Glenn
Charles Steinkuehler wrote:
> > I had your Eiger Stein & IPSEC running great for some time now it looks
> like
> > I need Dachstein.
> >
> > Do you have an image that is setup to pass IPSEC or do I have to patch in
> > those modules and rules again.
>
> You're in luck. The Dachstein kernels come pre-patched for VPN-Masquerade,
> so all you have to do is load the modules, and open a couple ports to get
> IPSec masquerading working.
>
> > Also Is my work with EigerStein to get this to work fully transprotable to
> > DachStein?
>
> Yes. While the firewall scripts have been updated, and extensively modified
> (mainly to support new DMZ features), the new scripts are extensions of the
> previous ones. I usually merge previous network.conf settings manually.
> NOTE: I typically mount my old floppy (or config disk) once I've booted a
> fresh Dachstein disk, and uncompress the old filesystem into /tmp, so I can
> copy/edit/compare files. Just "gunzip <pkg.lrp | tar -xv" in /tmp.
>
> WARNING: If you want to use the bootable CD version, it contains a kernel
> that supports IPSec running on the firewall...this kernel will *NOT*
> masquerade IPSec VPN connections (saddly, you can either masqerade IPSec, or
> run IPSec on the firewall, but the same kernel won't support both). If you
> want, I can make an ISO with a kernel that will masquerade IPSec
> connecctions...let me know.
>
> Final note: You don't really have to upgrade, if you don't want to. You
> can add some custom forwarding rules to /etc/ipfilter.conf to block the
> traffic filling up your logs, or merge in a few features from the newer
> scripts, like support for SILENT_DENY, or support for the
> /etc/ipchains.forward file (where you can specify your own forward rules).
>
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
