How to configure the firewall for VPN PPP connections?
Paul Smith
phhs80 at gmail.com
Fri Feb 20 20:48:50 UTC 2015
On Fri, Feb 20, 2015 at 7:51 PM, Rick Stevens <ricks at alldigital.com> wrote:
>>>
>>> The truth, Gordon, is that after changing the firewall configuration
>>> as described in the referred site, the issue was fixed.
>>
>>
>> Yes, I understand that. But it sounds like GRE was allowed previously
>> because it was "RELATED" to the pptp TCP connection before a kernel
>> upgrade, but afterward it required a rule to allow it unconditionally
>> (which is bad).
>>
>> I can't test that because I don't have any PPTP servers available,
>> because PPTP is very bad security-wise.
>>
>> It would be useful to remove the rules that you added and verify that
>> the PPTP connection fails. Then, boot an older kernel which was known
>> to previously work and test the connection. If it works, then there's a
>> kernel bug that should be reported.
>
>
> You could restrict permitting GRE to the IP of the VPN gateway if you
> want more security, e.g.
>
> firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -d
> <ip-addr-of-gateway> -j ACCEPT
> firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p gre -d
> <ip-addr-of-gateway> -j ACCEPT
> firewall-cmd --reload
Excellent idea, Rick! Thanks!
Paul
More information about the users
mailing list