system-config-firewall picking up slack where firestarter fell off

Matthew Woehlke mw_triad at users.sourceforge.net
Sat Jun 20 01:09:37 UTC 2009


Adam Miller wrote:
> 1) Cisco VPN
> I don't use this myself but I was told it just needs these rules, so I
> don't see a big issue here:
> $IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT

Hmm... $DAYJOB uses Cisco VPN, and the only rule I seem to have for it is:
-A INPUT -i cipsec0 -m state --state RELATED,ESTABLISHED -j ACCEPT
(...and similar in FORWARD, as this box is a gateway router)

Either vpnc auto-manages the needed rules, or open port 500 isn't 
universally required.

> 2) Auto setup of "Internet Sharing", so autoconfig of dhcpd and
> providing a bridge between WAN and LAN. This is one that I'm not
> entirely sure there is really in the scope of system-config-firewall
> and might need to be its own utility.

Maybe. As above, I've done it by hand and it's not trivial (not hard, 
but requires more than one thing set up). You can pick defaults for many 
things, but to set up forwarding you need:
- forwarding on in kernel (/etc/sysctl.conf)
- iptables rules
- configure dnsmasq (else fiddling with updating dns servers via dhcp is 
a pain)
- configure dhcpd (or use dnsmasq)
- somehow ask user or guess what is external, internal interfaces

(Don't forget to bind dnsmasqd/dhcpd to the lan interface, please!)

And it should ideally let you configure (in advanced mode):
- specify net/subnet and ranges for dhcp
- static hosts for dhcp
- forwarded ports other machines in the LAN

FWIW, 'doze apparently has point-and-click internet connection sharing, 
so this would be a good thing to address.

Say, how come s-c-f isn't merged into NM yet? ;-)

-- 
Matthew
Please do not quote my e-mail address unobfuscated in message bodies.
-- 
"The spiraling shape will make you go insane!" -- They Might Be Giants




More information about the devel mailing list