[pptp-server] ipchains rules assessment

Geoff Nordli geoff at gnaa.net
Fri Oct 22 16:55:16 CDT 1999


Are these rules really safe:

1)  ####  SET DEFAULT RULES TO DENY
2)  /sbin/ipchains -P input DENY
3)  /sbin/ipchains -P forward DENY
4)  ####  ALLOW ALL PORTS ON THE INTERNAL INTERFACE
5)  ipchains -A input -s <INTERNAL IP ADDRESS>/24 -j ACCEPT
6)  ipchains -A forward -s <INTERNAL IP ADDRESS>/24 -j ACCEPT
7)  ####  ALLOW AND FORWARD INCOMING VPN PACKETS
8)  ipchains -A input -p tcp -d <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
9)  ipchains -A input -p 47 -d <EXTERNAL IP ADDRESS> -j ACCEPT
10)  ipchains -A forward -p tcp -d <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
11)  ipchains -A forward -p tcp -s <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
13)  ipchains -A forward -p 47 -d <EXTERNAL IP ADDRESS> -j ACCEPT
14)  ipchains -A forward -p 47 -s <EXTERNAL IP ADDRESS> -j ACCEPT

My interpertation is that any packet that shows up on the
outside interface will be allowed through the firewalling
system, and is vulnerable to spoofing.  Is this so?

I added these rules with an -I to put them at the top of the list:

ipchains -I input -s <internal network> -i <ext interface> -j DENY
ipchains -I input -d <internal network> -i <ext interface> -j DENY


Packets that show up on the external interface with a destination or 
source of the internal network gets denied.

Is there anything else that I should be looking for?  Currently this
box is only there to handle the PPTP duties.

thanks,

Geoff Nordli




More information about the pptp-server mailing list