system-config-firewall picking up slack where firestarter fell off
Ralf Ertzinger
fedora at camperquake.de
Sat Jun 20 13:20:22 UTC 2009
Hi.
On Fri, 12 Jun 2009 08:54:00 -0500, Adam Miller wrote
> 1) Cisco VPN
> I don't use this myself but I was told it just needs these rules, so I
> don't see a big issue here:
> $IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
Are these for a VPN server or a VPN client?
Clients start the ISAKPM connection outbound on destination port 500,
and the answers can be tracked by simple UDP connection tracking, so
you really should not have to explicitly permit incoming traffic
on port 500.
As for the IPSec part, every recent (for quite large values of recent)
Cisco client can do UDP tunneling for the IPSec packets, wrapping ESP
(that's your protocol 50 up there) in UDP (usually port 4500), giving
you both stateful tracking and NAT traversion.
More information about the fedora-devel-list
mailing list