How to configure the firewall for VPN PPP connections?
Rick Stevens
ricks at alldigital.com
Fri Feb 20 19:51:09 UTC 2015
On 02/20/2015 11:27 AM, Gordon Messmer wrote:
> On 02/20/2015 10:00 AM, Paul Smith wrote:
>> The truth, Gordon, is that after changing the firewall configuration
>> as described in the referred site, the issue was fixed.
>
> Yes, I understand that. But it sounds like GRE was allowed previously
> because it was "RELATED" to the pptp TCP connection before a kernel
> upgrade, but afterward it required a rule to allow it unconditionally
> (which is bad).
>
> I can't test that because I don't have any PPTP servers available,
> because PPTP is very bad security-wise.
>
> It would be useful to remove the rules that you added and verify that
> the PPTP connection fails. Then, boot an older kernel which was known
> to previously work and test the connection. If it works, then there's a
> kernel bug that should be reported.
You could restrict permitting GRE to the IP of the VPN gateway if you
want more security, e.g.
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre
-d <ip-addr-of-gateway> -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p gre
-d <ip-addr-of-gateway> -j ACCEPT
firewall-cmd --reload
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks at alldigital.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- The light at the end of the tunnel is really an oncoming train. -
----------------------------------------------------------------------
More information about the users
mailing list