Herbert, Many thanks for your reply. I had not seen that problem. My first attempt to load SuSEfirewall2 failed but I googled around and saw that I did not modprobe it (should have been obvious). The fix you gave me seemed to have helped others but did not help me. The system log did not report any errors except of course the:
Jan 4 10:08:26 gate kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth2 SRC=192.168.224.1 DST=192.168.1.25 LEN= 40 TOS=0x00 PREC=0x00 TTL=30 ID=1 PROTO=TCP SPT=1090 DPT=5900 WINDOW=0 RES=0x00 ACK RST URGP=0 I also did the ip_nat_pptp just in case and that did not help either. I am looking at some googled ideas like adding some custom iptables stuff. Unfortunately I am not very up on them. I guess its time for me to learn. Thanks again! Tim Ertl -----Original Message----- From: Herbert Graeber [mailto:[EMAIL PROTECTED] Sent: Friday, January 04, 2008 5:25 AM To: [email protected] Subject: Re: [opensuse] SuSEfirewall2 & PPTP SERVER SFW2-FWDint-DROP-DEFLT IN=ppp0 Am Freitag, 4. Januar 2008 05:03:55 schrieb Tim Ertl: > 10.2 and 10.3 are wonderful! What an improvement over the old 8.2! > > Are there any doc's on how to set up SuSE 10.2 (or equiv) PPTP SERVER with > SuSEfirewall2? I have looked all over and found VPN Client configs but no > Server configs that are current and not much on the firewall with vpn's. > All thoughts and comments are very welcome. Happy New Year! > Why? > I had done it on SuSE 8.2 so I took a stab at it on 10.2. > I am able to connect and validate passwords etc. > I can Ping the Server host IP (192.168.1.1). > I can ping my ppp0 (192.168.225.1) ip address on the firewall. > I can even VNC into the 192.168.1.1(the firewall ip)! > I can not get on to the rest of the INTernal network (192.168.1.25)? PPTP is another beast... Look below. > ERROR: > Jan 3 22:23:20 gate kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth2 > SRC=192.168.224.1 DST=192.168.1.25 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=2316 PROTO=ICMP TYPE=8 CODE=0 ID=39955 SEQ=1280 > > I am one of those that have had good success with SuSEfirewall2 in the past > but I am confused this time. > ETH2 = 192.168.1.1 # internal network > PPP0 = 192.168.224.1 > I want to get to 192.168.1.25 > > Sysconfig->SuSEfirewall2: > (I grep'd off comments & null parameters "" for space) > FW_DEV_EXT="eth-id-00:15:e9:80:db:e9" > FW_DEV_INT="eth-id-00:0e:0c:d7:f9:f9 eth-id-00:0f:1f:f8:26:c5 ppp0 ppp1" > FW_ROUTE="yes" > FW_MASQUERADE="yes" > FW_MASQ_DEV="$FW_DEV_EXT" > FW_MASQ_NETS="0/0" > FW_PROTECT_FROM_INT="no" > FW_SERVICES_EXT_TCP="https imaps pop3s pptp smtp 1723" > FW_SERVICES_EXT_IP="47" > FW_SERVICES_INT_TCP="80" > FW_SERVICES_INT_UDP="ntp icmp" > FW_SERVICES_INT_IP="47" > FW_SERVICES_REJECT_EXT="0/0,tcp,113" > FW_LOG_DROP_CRIT="yes" > FW_LOG_DROP_ALL="yes" > FW_LOG_ACCEPT_CRIT="yes" > FW_LOG_ACCEPT_ALL="no" > FW_KERNEL_SECURITY="yes" > FW_STOP_KEEP_ROUTING_STATE="no" > FW_ALLOW_PING_FW="yes" > FW_ALLOW_PING_DMZ="no" > FW_ALLOW_PING_EXT="yes" > FW_ALLOW_FW_BROADCAST_EXT="no" > FW_ALLOW_FW_BROADCAST_INT="ntp" > FW_ALLOW_FW_BROADCAST_DMZ="no" > FW_IGNORE_FW_BROADCAST_EXT="yes" > FW_IGNORE_FW_BROADCAST_INT="no" > FW_IGNORE_FW_BROADCAST_DMZ="no" > FW_REJECT_INT="yes" > FW_IPSEC_TRUST="no" > All other param's are "" defaulted. Looks like you need FW_LOAD_MODULES="ip_conntrack_pptp" If you plan to use pptp in the other direction, from you masqueraded LAN to the ouside, you must add ip_nat_pptp, too. > Any Help is greatly appreciated. > Many Thanks! > We have about 40 SuSE linux systems and a mess of Windoze systems! Herbert -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
