I don't have pptpd working yet on the firewall (it's crashing on tcp
connect), but I've been looking at the obsolete shorewall documentation
for running pptpd on the local firewall itself.
In my situation, I have ppp0 in my net zone, because that is my link to
the outside world (pppoe, thank you SBC :-( ). I plan to have a few
pptp tunnels coming into the firewall, which will be in the loc zone,
and pptp will be set up in a proxyarp configuration on the local lan.
I know the zones need to be ordered, and they are, but the following bit
worries me... I have rules like FORWARD that have snippets in them:
Chain FORWARD (policy DROP 28 packets, 3746 bytes)
target prot opt in out source destination
TCPMSS tcp -- any any anywhere anywhere
tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
eth0_fwd all -- eth0 any anywhere anywhere
eth1_fwd all -- eth1 any anywhere anywhere
eth2_fwd all -- eth2 any anywhere anywhere
ath0_fwd all -- ath0 any anywhere anywhere
ppp0_fwd all -- ppp0 any anywhere anywhere
ppp_fwd all -- ppp+ any anywhere anywhere
Reject all -- any any anywhere anywhere
ULOG all -- any any anywhere anywhere
reject all -- any any anywhere
anywhere
ppp0 will be processed for all packets being forwarded by ppp0 (which is
in net)... but if none of the rules in net2<whatever> actually trigger,
then this rule falls through to the ppp+ rule, which will get the
loc2<whatever> rules, which are obviously less restrictive. This can't
be allowed to happen.
Is there any "polite" way in shorewall to introduce a rule at the start
of ppp_fwd, ppp_in, and ppp_out to do a "RETURN" if the interface in
question is ppp0, or better yet, is there a syntax I can use in
iptables/shorewall to say ppp+,!ppp0 so the ppp_in/out/fwd rules never
even get called?
Tom, should I be using hosts syntax at this point? If so, got any
suggestions (I only have one small range of IP addresses that are in the
pptp pool).
Paul
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
