|

So, I use Firestarter to man­age the fire­wall at home. It has it’s issues, of course (not all events show up in the lit­tle event viewer, for exam­ple), and I’m a lit­tle wary of using a graph­i­cal tool to man­age ipt­a­bles. That said, I’ve so lit­tle time at home, I don’t really care to spend it wrestling with the fire­wall on my Linux box.

This is also why peo­ple buy those toys from Linksys, they require lit­tle to no effort to use. Of course, their wire­less offer­ings should ship secure by default, with a lit­tle plas­tic win­dow on the bot­tom of the thing con­tain­ing a card with the SSID and WEP keys on it — and a stack of pre-labeled cards to write future SSID and WEP keys on.

Aaaaanyways, hav­ing setup OpenVPN at work (eth­er­net bridge over TCP) I needed to punch through the fire­wall on my box so it was worth a damn. Unfortunately adding the VPN net­work to the “Hosts allows to con­nect” list doesn’t work, since it still blocks the out­put. To fix this, you need to dis­able the fire­wall on your tap (or tun, if you’re using OpenVPN in a routed con­fig­u­ra­tion) inter­face by adding the VPN net­work to your “allowed hosts” bit, and then adding the fol­low­ing lines to /etc/firestarter/user-pre:

$IPT -A INPUT -i tap+ -j ACCEPT
$IPT -A OUTPUT -o tap+ -j ACCEPT

What that means is: “let any­thing com­ing in (INPUT/-i) or going out (OUTPUT/-o) on any tap inter­face through.” Getting the con­nec­tion to use the incoming/outgoing poli­cies is the ideal case, but I didn’t really research into how to make it work beyond a lit­tle experimentation.