system-config-firewall picking up slack where firestarter fell off
Manuel Wolfshant
wolfy at nobugconsulting.ro
Sat Jun 13 21:05:09 UTC 2009
On 06/12/2009 04:54 PM, Adam Miller wrote:
> I'm retired firestarter, I picked it up recently as it was orphaned
> but as we are moving towards PolicyKit and there's no upstream to
> assist with the port and after a discussion we had here on the list I
> decided it was time to retire it.
>
> Now, with that being said, I have some users on the firestarter-users
> mailing list that have some features they would like to request and I
> wanted to pose a couple questions here in respect to their requests
> and find out if others feel that these requests are feasible and/or
> are even in the scope of system-config-firewall.
>
> 1) Cisco VPN
> I don't use this myself but I was told it just needs these rules, so I
> don't see a big issue here:
> $IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
>
This is more or less standard IPSEC. port 500/udp is used for IKE and
proto 50 is esp. I have not seen 500/tcp ever to be used, but I think
that Cisco's client can use it. openswan for sure does not use tcp.
Only problem is that cisco's vpn client can use _any_ port for
communication, it depends solely on the way the VPN concentrator is
configured. In the company I work for, the client is configured to use a
high port, and we can switch between tcp and udp at will. What I want to
say here is that blindly adding port 500 "because we know it's used"
might lead to unpleasant surprises (as in "we added the rule but the
client does not work")
> 2) Auto setup of "Internet Sharing", so autoconfig of dhcpd and
> providing a bridge between WAN and LAN. This is one that I'm not
> entirely sure there is really in the scope of system-config-firewall
> and might need to be its own utility.
>
not sure what to say here. A tool to do that would be nice, but I do not
think that s-c-f is _that_ tool either
More information about the fedora-devel-list
mailing list