[H-GEN] Request for help with smoothwall firewall
Conor Cunningham
cunningtek at optusnet.com.au
Thu Sep 22 01:10:33 EDT 2005
Ronald,
How's tricks? I can understand your situation as not to long ago I
completed an assignment which included a small section on VPN traffic
within a corporate firewall. Below are some rules that we came up with
and tested successfully - albeit several months ago. I'm sure there are
others on this list who can provide a few more rules/information. As for
the VNC stuff, well, I have no idea as to how that protocol operates.
Remember, IPSEC uses a protocol called protocol 50.
#ignore the sources and destinations and these should be functioning rules to allow IPSEC traffic in and out of a box. Please remember that these rules were specific to a situation and I do not know your
situation so they may be no use at all.
#allow VPN traffic into the box on an internal ethernet card.
iptables -A INPUT -p 50 -i eth1 -s 10.100.10.0 --sport 1024:65535 -d 192.168.40.6 --dport 80 -m state --state NEW, ESTABLISHED -j ACCEPT
#allow input and output traffic to and from a specific external VPN box at a remote site
iptables -A INPUT -p udp -d 210.50.10.23 -i eth0 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -d 210.50.10.23 -o eth0 --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -A INPUT -p 50 -d 210.50.10.23 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -d 210.50.10.23 -o eth0 -j ACCEPT
...conor
Ronald Bradford wrote:
> [ Humbug *General* list - semi-serious discussions about Humbug and ]
> [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>
> Hi All,
>
> We are seeking some assistance in the completion of the configuration
> of a Smoothwall Firewall at our organisation.
> While I'm a literate IT Linux user in general system administration,
> moving from theory of firewalls to practice has been a new experience
> which I'm now completely comfortable with for general installation,
> DMZ etc.
>
> However two things remain, VPN & VNC access. I've been unsuccessful
> in doing testing of VPN access from a Windoze machine (which all staff
> use).
> While there is a certain amount of accessible documentation, it's a
> lot to wade through and consensus is VPN is complicated, and with
> Microsoft not supporting IPsec very difficult hence my request for
> anybody that could give some valuable assistance first hand.
>
> There is unfortunately no money available in response to help. We are
> a not for profit organisation and are very stretched are suffering
> greatly like most other similiar organisations this calendar year due
> to world events.
>
> Thanks
>
> Regards
>
> Ronald Bradford
>
> _______________________________________________
> General mailing list
> General at lists.humbug.org.au
> http://lists.humbug.org.au/cgi-bin/mailman/listinfo/general
>
More information about the General
mailing list