[leaf-user] Re: How to open VPN port/service for dachstein(confirm please)

[mrenner]

[EMAIL PROTECTED] wrote:

All,
# uname -a
Linux firewall 2.2.19-3-LEAF-RAID #4 Sat Dec 1 17:27:59 CST 2001 i386 
unknown

# ip addr show
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
    link/ether fe:fd:0b:00:29:7c brd ff:ff:ff:ff:ff:ff
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:a0:cc:d6:e2:04 brd ff:ff:ff:ff:ff:ff
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:a0:cc:d6:e2:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
10: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast 
qlen 10
    link/ppp
    inet 68.165.41.211 peer 172.31.255.248/32 scope global ppp0

# ip route show
172.31.255.248 dev ppp0  proto kernel  scope link  src 68.165.41.211
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254
default via 172.31.255.248 dev ppp0
I am running dachstein 1.0.2 from CD. I have dynamicly assigned address.

I think I have the following correct to open my firewall up to my 3 
external VPN servers, but I wanted to check.
Question 1:Can I substitute $EX_IP for 0/0 below?
Question 2:Can I substitute $EXTERN_IF for eth0 below?
excerpt from ipfilter.conf...
#
# Set up port forwards for internal services
#
# Insert VPN rules
$IPCH -I forward -i eth0 -p udp -s 192.168.1.0/24 500 -d 
129.188.107.110/32 500
$IPCH -I forward -i eth0 -p udp -s 192.168.1.0/24 500 -d 
136.182.12.98/32 500
$IPCH -I forward -i eth0 -p udp -s 192.168.1.0/24 500 -d 
144.189.26.1/32 500

$IPCH -I output -i eth0 -p udp -s 0/0 500 -d 129.188.107.110/32 500 -j 
ACCEPT
$IPCH -I output -i eth0 -p udp -s 0/0 500 -d 136.182.12.98/32 500 -j 
ACCEPT
$IPCH -I output -i eth0 -p udp -s 0/0 500 -d 144.189.26.1/32 500 -j 
ACCEPT

$IPCH -I input -i eth0 -p udp -s 129.188.107.110/32 500 -d 0/0 500 -j 
ACCEPT
$IPCH -I input -i eth0 -p udp -s 136.182.12.98/32 500 -d 0/0 500 -j 
ACCEPT
$IPCH -I input -i eth0 -p udp -s 144.189.26.1/32 500 -d 0/0 500 -j ACCEPT

# Open up GRE port
$IPCH -I forward -i eth0 -p 50 -j MASQ -s 192.168.1.0/24 -d 
129.188.107.110/32
$IPCH -I forward -i eth0 -p 50 -j MASQ -s 192.168.1.0/24 -d 
136.182.12.98/32
$IPCH -I forward -i eth0 -p 50 -j MASQ -s 192.168.1.0/24 -d 
144.189.26.1/32

$IPCH -I output -i eth0 -p 50 -j ACCEPT -s 0/0 -d 129.188.107.110/32
$IPCH -I output -i eth0 -p 50 -j ACCEPT -s 0/0 -d 136.182.12.98/32
$IPCH -I output -i eth0 -p 50 -j ACCEPT -s 0/0 -d 144.189.26.1/32
$IPCH -I input -i eth0 -p 50 -j ACCEPT -s 129.188.107.110/32 -d 0/0
$IPCH -I input -i eth0 -p 50 -j ACCEPT -s 136.182.12.98/32 -d 0/0
$IPCH -I input -i eth0 -p 50 -j ACCEPT -s 144.189.26.1/32 -d 0/0
# End of changes







-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html