susefirewall2 & openvpn

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

susefirewall2 & openvpn

vbargsten
Hi suse-security,

im running suse linux 9.3 and have newly installed openvpn. i added
the tun0 device to my internal devices in the config of susefirewall2.
everything works now correctly concerning opnevpn. i only have one
problem left: the tun0 device is created when openvpn starts. so if
the firwall has already been started, i have to restart it to make it
work. so should i make openvpn start before susefirwall2 or should i
call a restart of the firwall within the openvpn start script or are
there other ideas?



--
mfg
vbargsten
mailto:[hidden email]


--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: susefirewall2 & openvpn

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Thursday 2006-09-21 at 18:09 +0200, vbargsten wrote:

> work. so should i make openvpn start before susefirwall2 or should i
> call a restart of the firwall within the openvpn start script or are
> there other ideas?

Probably a reload would work, and faster. Try "SuSEfirewall2" alone.

- --
Cheers,
       Carlos E. R.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFFEw10tTMYHG2NR9URAroaAJ9552KvdFhy+LTlRLJqD+ypZcHW+ACfYMvY
InkJHgzds9GCE/fWPJ86A58=
=uTUW
-----END PGP SIGNATURE-----


--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: susefirewall2 & openvpn

Andy Smith-6
In reply to this post by vbargsten
vbargsten wrote:
> Hi suse-security,
>
> im running suse linux 9.3 and have newly installed openvpn. i added
> the tun0 device to my internal devices in the config of susefirewall2.
> everything works now correctly concerning opnevpn. i only have one
> problem left: the tun0 device is created when openvpn starts. so if
> the firwall has already been started, i have to restart it to make it
> work. so should i make openvpn start before susefirwall2

Not if the network interfaces need to be brought up before the tunnel
can be established. Starting the firewall after the vpn would leave you
wide open until the vpn is up and running. Granted it would only be for
a short time at boot, but what if the vpn gets hung and takes a while to
start? You are left without a firewall until the vpn finishes loading.
If you would have to restart the vpn without a reboot you would have to
manually restart the firewall as well.

or should i
> call a restart of the firwall within the openvpn start script or are
> there other ideas?
>

IMO this is a much better choice. Better yet would be a reload as Carlos
suggested. At any rate bringing up network interfaces before the
firewall is probably not a good idea.

Regards,
Andy

--
----------------------
Andy Smith
[hidden email]
----------------------

--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here