On Wednesday 16 October 2002 4:45 am, David A Golden wrote: > Just to muddy the waters, through experimentation, I have found that using > Checkpoint SecuRemote (on windows) behind a Linux netfilter firewall, I can > achieve an IPSEC connection using just: > > iptables -A FORWARD -s $INTERNAL_NET -j ACCEPT > iptables -A FORWARD -d $INTERNAL_NET -m state --state ESTABLISHED,RELATED \ > -j ACCEPT > > I.e. explicit per-protocol forwarding seems unnecessary. (Though you might > want to be explicit for security/control reasons.) Well, quite. We suggested some rules which would allow IPsec through your firewall, but which would at least block a few other protocols. We also weren't sure whether you were initiating the IPsec connection from the inside or the outside of your firewall (it's clearly the inside, if the above rules work). If you prefer to allow *every* protocol out of your network, then this includes IPsec, so you don't need to do anything specific. Good that you have things working - now to consider how secure you want it... Antony. -- Anything that improbable is effectively impossible. - Murray Gell-Mann, Nobel Prizewinner in Physics
