Re: IP Protocol 57
On Fri, 20 Jul 2001, Chad Thompson wrote:
> I have a client who has a Novell Border Manager server behind a Debian
> firewall I built. Everything is fine but we need to get her VPN
> client/server to function. This function requires IP Protocol ID 57 to
> be forwarded. Does anyone know of any kernel patches I could apply in
> order to accomplish this?
] iptables -A FORWARD -p 57 -j ACCEPT
Of course, I wouldn't actually recommend using that as is. It's, er,
rather broad a statement. It should give you the idea, though.
Remember, primarily, that this protocol is an IP tunnel -- any sort of
packet can cross it to the end-point that is *inside* your firewall.
As such, I would suggest that something like the following architecture
would be a good idea:
---------+ +----------+ +--------------+
Internet |--------| Firewall |-------| Main Network |
---------+ +-----+----+ +--------------+
|
|
+----------+
| VPN Host |
+----------+
So, only allow this protocol 57 traffic from the Internet to the VPN
host, through the firewall. The VPN Host then accepts the connection and
unpacks the IP traffic from the VPN.
This traffic then *MUST* go back through the Firewall -- as it has no
other way of getting to the Main Network.
Daniel
--
All of us are watchers - of television, of time clocks, of traffic on the
freeway - but few are observers. Everyone is looking, not many are seeing.
-- Peter M. Leschak
Reply to: