[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: system-config-firewall picking up slack where firestarter fell off



On 06/12/2009 04:54 PM, Adam Miller wrote:
I'm retired firestarter, I picked it up recently as it was orphaned
but as we are moving towards PolicyKit and there's no upstream to
assist with the port and after a discussion we had here on the list I
decided it was time to retire it.

Now, with that being said, I have some users on the firestarter-users
mailing list that have some features they would like to request and I
wanted to pose a couple questions here in respect to their requests
and find out if others feel that these requests are feasible and/or
are even in the scope of system-config-firewall.

1) Cisco VPN
I don't use this myself but I was told it just needs these rules, so I
don't see a big issue here:
$IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT

This is more or less standard IPSEC. port 500/udp is used for IKE and proto 50 is esp. I have not seen 500/tcp ever to be used, but I think that Cisco's client can use it. openswan for sure does not use tcp. Only problem is that cisco's vpn client can use _any_ port for communication, it depends solely on the way the VPN concentrator is configured. In the company I work for, the client is configured to use a high port, and we can switch between tcp and udp at will. What I want to say here is that blindly adding port 500 "because we know it's used" might lead to unpleasant surprises (as in "we added the rule but the client does not work")

2) Auto setup of "Internet Sharing", so autoconfig of dhcpd and
providing a bridge between WAN and LAN. This is one that I'm not
entirely sure there is really in the scope of system-config-firewall
and might need to be its own utility.
not sure what to say here. A tool to do that would be nice, but I do not think that s-c-f is _that_ tool either


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]