On Sunday 29 January 2006 09:26, Paul Traina wrote: > I don't have pptpd working yet on the firewall (it's crashing on tcp > connect), but I've been looking at the obsolete shorewall documentation > for running pptpd on the local firewall itself. > > In my situation, I have ppp0 in my net zone, because that is my link to > the outside world (pppoe, thank you SBC :-( ). I plan to have a few > pptp tunnels coming into the firewall, which will be in the loc zone, > and pptp will be set up in a proxyarp configuration on the local lan. > > I know the zones need to be ordered, and they are, but the following bit > worries me... I have rules like FORWARD that have snippets in them: > > Chain FORWARD (policy DROP 28 packets, 3746 bytes) > target prot opt in out source destination > TCPMSS tcp -- any any anywhere anywhere > tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU > eth0_fwd all -- eth0 any anywhere anywhere > eth1_fwd all -- eth1 any anywhere anywhere > eth2_fwd all -- eth2 any anywhere anywhere > ath0_fwd all -- ath0 any anywhere anywhere > ppp0_fwd all -- ppp0 any anywhere anywhere > ppp_fwd all -- ppp+ any anywhere anywhere > Reject all -- any any anywhere anywhere > ULOG all -- any any anywhere anywhere > reject all -- any any anywhere > anywhere > > ppp0 will be processed for all packets being forwarded by ppp0 (which is > in net)... but if none of the rules in net2<whatever> actually trigger, > then this rule falls through to the ppp+ rule, which will get the > loc2<whatever> rules, which are obviously less restrictive. This can't > be allowed to happen.
That will never happen unless you are using CONTINUE policies for net2<whatever>. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
pgpHrROyjy7dD.pgp
Description: PGP signature
