Re: system-config-firewall picking up slack where firestarter fell off

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Adam Miller wrote:

1) Cisco VPN
I don't use this myself but I was told it just needs these rules, so I
don't see a big issue here:
$IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT


Hmm... $DAYJOB uses Cisco VPN, and the only rule I seem to have for it is:
-A INPUT -i cipsec0 -m state --state RELATED,ESTABLISHED -j ACCEPT
(...and similar in FORWARD, as this box is a gateway router)
Either vpnc auto-manages the needed rules, or open port 500 isn't universally required. 


2) Auto setup of "Internet Sharing", so autoconfig of dhcpd and
providing a bridge between WAN and LAN. This is one that I'm not
entirely sure there is really in the scope of system-config-firewall
and might need to be its own utility.
Maybe. As above, I've done it by hand and it's not trivial (not hard, but requires more than one thing set up). You can pick defaults for many things, but to set up forwarding you need: 
- forwarding on in kernel (/etc/sysctl.conf)
- iptables rules
- configure dnsmasq (else fiddling with updating dns servers via dhcp is a pain) 
- configure dhcpd (or use dnsmasq)
- somehow ask user or guess what is external, internal interfaces

(Don't forget to bind dnsmasqd/dhcpd to the lan interface, please!)

And it should ideally let you configure (in advanced mode):
- specify net/subnet and ranges for dhcp
- static hosts for dhcp
- forwarded ports other machines in the LAN
FWIW, 'doze apparently has point-and-click internet connection sharing, so this would be a good thing to address. 

Say, how come s-c-f isn't merged into NM yet? ;-)

--
Matthew
Please do not quote my e-mail address unobfuscated in message bodies.
--
"The spiraling shape will make you go insane!" -- They Might Be Giants

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux