I simply use the following in the scripts which allows for both outbound and/or inbound VPNs through several Dachstien Firewalls:
Firstly in netwoork.conf add #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access INTERN_VPN_SERVER=192.168.2.10 # Internal VPN server to make available EXTERN_VPN_PORT=1723 # External port to use for internal VPN access then in ipfilter.conf (I usually add this after the ssh section again) if [ -n "$INTERN_VPN_SERVER" ] ; then if [ -n "$EXTERN_VPN_PORT" ] ; then $IPMASQADM portfw -a -P tcp -L $EXTERN_IP $EXTERN_VPN_PORT \ -R $INTERN_VPN_SERVER vpn else $IPMASQADM portfw -a -P tcp -L $EXTERN_IP vpn \ -R $INTERN_VPN_SERVER vpn fi ipfwd --masq $INTERN_VPN_SERVER 47 & fi I have several firewalls using this method and all are working well. If an internal VPN Server is not defined, I only open the input chain for protocol 47 in network.conf and have had no problems yet. Andrew Gray -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chad Carr Sent: Fri, 26 Apr 2002 13:47 PM To: Morgan Reed Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN behind Dachstein On Thu, 25 Apr 2002 23:09:38 -0400 "Morgan Reed" <[EMAIL PROTECTED]> wrote: > Scott, > > A quick follow-up question regarding allowing protocol 47 packets > though, I attempted to manually set the IPCHAINS rules just to do a > quick test, and this is what I got: > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT > ipchains: can only specify ports for icmp, tcp or udp > Try `ipchains -h' or 'ipchains --help' for more information. This ipchains rule should not specify port 1723. Ports are not a part of the GRE header, so they cannot be specified as targets for ipchains. The rule should read: ipchains -A input -p 47 -j ACCEPT To be absolutely minimal about it. If no source or destination address is given, the default is everything. HTH, Chad p.s. take a look at http://www.protocols.com/pbook/tcpip3-1.htm and http://www.protocols.com/pbook/tcpip.htm#TCP for more details on this. This is pretty heavy stuff if you're not used to it, but it tells you what is in the headers of the packets you are trying to filter. It is invaluable if you want to really nkow what you can do with ipchains. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user