-   Linux - Security (
-   -   Need theory advice from security experts (

GT3NE1 10-13-2004 01:42 PM

Need theory advice from security experts
I have started building a firewall from an Xserve G4 running Yellowdog. We would also like this to be a VPN box as well. Our main goal is to allow multiple home users access to their desktop machines at work using Timbuktu. Is this even possible? I am a little fuzzy on whether or not iptables will allow me to forward the timbuktu ports to different machines depending on where the traffic is coming from. Is this something a VPN would do along with secure traffic? i.e. The user logs on to the VPN and then the firewall can determine which machine to forward the ports based on the username?

I am looking at different VPN servers right now, but Super FreeS/WAN looks like it might work since the super version has the NAT Traversal patch already included. Our entire company is NAT'ed behing a firewall.

Are there any other better ways to do what I need to do.

Thanks a bunch.

chort 10-14-2004 12:28 AM

You can use your firewall box as an IPSec "Security Gateway" and have it advertize routes over the VPN to the internal network. At that point you don't need to forward any ports, the user can just use Timbuktu as if they were on the local network.

GT3NE1 10-14-2004 09:56 AM

Hmmm...that sounds interesting. Can you elaborate a little more? Would (Super) FreeS/WAN accomplish this or ????? Thanks.


chort 10-14-2004 07:55 PM

Yes, FreeS/WAN can do that. You would configure FreeS/WAN on the firewall box to act as a security gateway and configure it to advertise the routes necessary to reach your desktop LAN. I assume they're using Mac OS since you're talking about Timbuktu. Mac OS 10 comes with Racoon IPSec built-in, but it's completely command-line and config-file based, no GUI. In fact, if you ran OS 10 on your firewall you could use the built-in IPFW firewall with NATd (built-in) and Racoon IPSec (built-in).

For home users you'll probably want a GUI, so look at something like IPSecuritas or some of the other clients listed in the download section on You could also distribute config files for Racoon and a custom script that they could put on their Desktop and double-click on when they needed VPN access.

All times are GMT -5. The time now is 07:12 AM.