Hi. On Fri, 12 Jun 2009 08:54:00 -0500, Adam Miller wrote > 1) Cisco VPN > I don't use this myself but I was told it just needs these rules, so I > don't see a big issue here: > $IPT -A FORWARD -i $IF -o $INIF -p udp --dport 500 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > $IPT -A FORWARD -i $IF -o $INIF -p tcp --dport 500 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > $IPT -A FORWARD -i $IF -o $INIF -p 50 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > $IPT -A FORWARD -i $INIF -o $IF -p 50 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT Are these for a VPN server or a VPN client? Clients start the ISAKPM connection outbound on destination port 500, and the answers can be tracked by simple UDP connection tracking, so you really should not have to explicitly permit incoming traffic on port 500. As for the IPSec part, every recent (for quite large values of recent) Cisco client can do UDP tunneling for the IPSec packets, wrapping ESP (that's your protocol 50 up there) in UDP (usually port 4500), giving you both stateful tracking and NAT traversion. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
