How to configure the firewall for VPN PPP connections?
Paul Smith
phhs80 at gmail.com
Fri Feb 20 20:58:11 UTC 2015
On Fri, Feb 20, 2015 at 7:27 PM, Gordon Messmer
<gordon.messmer at gmail.com> wrote:
>>
>> The truth, Gordon, is that after changing the firewall configuration
>> as described in the referred site, the issue was fixed.
>
>
> Yes, I understand that. But it sounds like GRE was allowed previously
> because it was "RELATED" to the pptp TCP connection before a kernel upgrade,
> but afterward it required a rule to allow it unconditionally (which is bad).
>
> I can't test that because I don't have any PPTP servers available, because
> PPTP is very bad security-wise.
>
> It would be useful to remove the rules that you added and verify that the
> PPTP connection fails. Then, boot an older kernel which was known to
> previously work and test the connection. If it works, then there's a kernel
> bug that should be reported.
Thanks, Gordon, for your reply.
If the issue is caused by the kernel, cannot one speculate that is
deliberated in order to increase security? As Rick has just suggested,
one can restrict the GRE service to certain IPs, while allowing the
GRE service globally would leave the computer less secure (as the
older versions of kernels did, if your suspicion is correct).
Paul
More information about the users
mailing list