[linux] Vyriesene

Lubomir Host rajo na platon.sk
Úterý Leden 4 22:19:03 CET 2005 

On Tue, Jan 04, 2005 at 09:59:26PM +0100, Lubomir Host wrote:
> On Tue, Jan 04, 2005 at 04:42:59PM +0100, Pogac Daniel wrote:
> > Podla mna ta predchadzajuci mail zle naviedol. 
> > Na server1 musis dat
> > route add net 192.168.0.0 mask 255.255.255.0 gw 10.0.0.2
> 
> Mas pravdu, tento prikaz pomohol v tom, ze so server1 mozem pingovat
> pocitace s lokalnou adresou za fw1. Spravna syntax ale u mna bola:
> 
> route add -net 192.168.0.0/16 gw 10.0.0.2
> 
> Dalsi problem, ze preco mi to asi nechodilo bol podla vsetkeho velmi
> prisny firewall (teda oba firewally). Ked som povolil vsetku komunikaciu
> na zariadeniach tun+ tap+, a pridal prislusne pravidla pre routovanie na
> fw1, zacalo mi to chodit:
> 
> SERVER1 + FW1
> iptables -A INPUT -i tun+ -j ACCEPT
> iptables -A INPUT -i tap+ -j ACCEPT
> iptables -A FORWARD -i tun+ -j ACCEPT
> iptables -A FORWARD -i tap+ -j ACCEPT
> iptables -A OUTPUT -o tun+ -j ACCEPT
> iptables -A OUTPUT -o tap+ -j ACCEPT
> 
> FW1:
> route add -host 23.45.67.89  gw  12.34.56.1;
> route add default gw 10.0.0.1
> 
> Ale este stale to nechodi tak, ako by malo. Vyzera to byt na problem
> s UDP paketmi, ktore akosi odmietaju chodit cez tunel. ICMP a TCP ide
> v pohode. Kvoli tomu, ze nejde UDP potom samozrejme nejde DNS atd. Kde
> moze byt este zadrhel?

Z manualu OpenVPN:

-----------------------------------%<-----------------------------------
So I would make the statement that one should never tunnel a non-IP
protocol or UDP application protocol over UDP, if the protocol might be
vulnerable to a message deletion or reordering attack that falls within
the normal operating parameters of what is to be expected from the
physical IP layer. The problem is easily fixed by simply using TCP as
the VPN transport layer.
-----------------------------------%<-----------------------------------

Cize ak chcem aj UDP protokol tunelovat, musim mat tunel postaveny na
TCP, nie UDP. Takze som zmenil protokol a uz to ako sa zda funguje.
Super. ;-)

-- 
Lubomir Host 'rajo' <rajo AT platon.sk>        ICQ #:  257322664
Platon Software Development Group              http://platon.sk/
http://www.gnu.org/philosophy/no-word-attachments.html

Další informace o konferenci linux