LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SELinux policy and Cisco vpn client (https://www.linuxquestions.org/questions/linux-security-4/selinux-policy-and-cisco-vpn-client-377424/)

NetArch 10-27-2005 10:40 AM

SELinux policy and Cisco vpn client
 
I have yet to actually sit down and dig into selinux policy, so my question is this:

Is Cisco's VPN client for Linux totally incompatible with SELinux, or is it just that no one's taken the trouble to write a policy for it? It seems totally incongruent that you have to disable a security feature of the OS in order to use a particular vendor's security application.

Thoreau 10-28-2005 03:21 AM

The client is no longer kernel dependent. I've not used it with the SELinux addon, but here are the settings to allow.

# Firewall configuration written by Cisco Systems
# Designed for the Linux VPN Client 4.6.03.0190 Virtual Adapter
# Blocks ALL traffic on eth0 except for tunneled traffic
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Allow all traffic in both directions through the VA adapter
-A INPUT -i cipsec0 -j ACCEPT
-A OUTPUT -o cipsec0 -j ACCEPT

# Accept all encrypted VPN Client traffic in either direction on eth0
-A INPUT -i eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT

-A INPUT -i eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT

-A OUTPUT -o eth0 -p udp -s 0/0 --sport 1024: -d 0/0 --dport 29747 -j ACCEPT

# Block all other traffic in either direction on eth0
-A INPUT -i eth0 -j REJECT
-A OUTPUT -o eth0 -j REJECT
COMMIT


All times are GMT -5. The time now is 03:41 AM.