[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: system-config-firewall picking up slack where firestarter fell off



Hi.

On Fri, 12 Jun 2009 08:54:00 -0500, Adam Miller wrote

> 1) Cisco VPN
> I don't use this myself but I was told it just needs these rules, so I
> don't see a big issue here:
> $IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT

Are these for a VPN server or a VPN client?

Clients start the ISAKPM connection outbound on destination port 500,
and the answers can be tracked by simple UDP connection tracking, so
you really should not have to explicitly permit incoming traffic
on port 500.

As for the IPSec part, every recent (for quite large values of recent)
Cisco client can do UDP tunneling for the IPSec packets, wrapping ESP
(that's your protocol 50 up there) in UDP (usually port 4500), giving
you both stateful tracking and NAT traversion.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]