The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: Using SecuRemote thru Linux MASQ to FireWall-1

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Using SecuRemote thru Linux MASQ to FireWall-1

Q:

Has anyone had experience with trying to VPN through a linux firewall (which is hidding my internal network address) to a FireWall-1 VPN?  I changed my Linux FW rules to be extremely lax and I still had problems. When I bypass the linux FW I have no trouble at all. Any suggestions?

A:

There are two things you need to do:

Once you’ve done all this, it is fairly straightforward to enable your system to use SecuRemote securely. These instructions only work with IKE. FWZ with encapsulation is not supported and FWZ without encapsulation probably won’t work since Linux appears to drop FWZ encrypted packets in the bit bucket.

An alternative approach is to use something like Firestarter, which is a GUI frontend for ipchains and ipfilter.

In the following ipchains commands, the following conventions are used:

  • fw1-ip is the external IP of your firewall
  • client-ip is your SecuRemote Client
  • linux-ip is the IP of your Linux host
Due to the nature of this configuration, only one SecuRemote client at a specific IP address is supported. Note I am assuming the most paranoid ipchains rules (i.e. only permit that which is required to allow SecuRemote to a specific firewall). It does not include the necessary rules to permit a topology download. This is left as an exercise for the reader.

You can use slightly more lax rules if you'd like, though you absolutely need the ipfwd and ipmasqadm commands.

# Outgoing and incoming rules allowing UDP port 500 packets

/sbin/ipchains -A input -s fw1-ip -d linux-ip 500 -p UDP -j ACCEPT
/sbin/ipchains -A input -s client-ip -d fw1-up 500 -p UDP -j ACCEPT
 

# Outgoing and incoming rules allowing IP Protocol 50 packets

/sbin/ipchains -A input -s fw1-ip -d linux-ip -p 50  -j ACCEPT
/sbin/ipchains -A input -s client-ip -d fw1-ip -p 50  -j ACCEPT

# Outgoing UDP Encapsulation packets

/sbin/ipchains -A input -s client-ip -d fw1-ip 2746 -p UDP  -j ACCEPT

# Forward rules to MASQ and allow connections outbound

/sbin/ipchains -A forward -s client-ip 500 -p UDP -j MASQ
/sbin/ipchains -A forward -s client-ip -p 50 -j MASQ
 

# ipmasqadm to pick up port 500 and forward it inside

/usr/sbin/ipmasqadm portfw -a -P udp -L linux-ip 500 -R client-ip 500
 

# ipfwd to get Protocol 50 packets

/usr/sbin/ipfwd client-ip 50 &

With iptables in Linux 2.4, the commands are (ext_if refers to external interface):

/usr/sbin/iptables -A input   -s linux-ip -d fw1-ip   -p udp --dport 500 -j ACCEPT
/usr/sbin/iptables -A input   -s linux-ip -d fw1-ip   -p 50 -j ACCEPT
/usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p udp --dport 500 -j ACCEPT/usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p udp --dport 2746 -j ACCEPT
/usr/sbin/iptables -A input   -s fw1-ip   -d linux-ip -p 50 -j ACCEPT
/usr/sbin/iptables -A forward -s linux-ip -d fw1-ip   -j ACCEPT
/usr/sbin/iptables -t nat     -A POSTROUTING -o ext_if -j MASQUERADE

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.