[pptp-server] ipchains rules assessment
Geoff Nordli
geoff at gnaa.net
Fri Oct 22 16:55:16 CDT 1999
Are these rules really safe:
1) #### SET DEFAULT RULES TO DENY
2) /sbin/ipchains -P input DENY
3) /sbin/ipchains -P forward DENY
4) #### ALLOW ALL PORTS ON THE INTERNAL INTERFACE
5) ipchains -A input -s <INTERNAL IP ADDRESS>/24 -j ACCEPT
6) ipchains -A forward -s <INTERNAL IP ADDRESS>/24 -j ACCEPT
7) #### ALLOW AND FORWARD INCOMING VPN PACKETS
8) ipchains -A input -p tcp -d <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
9) ipchains -A input -p 47 -d <EXTERNAL IP ADDRESS> -j ACCEPT
10) ipchains -A forward -p tcp -d <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
11) ipchains -A forward -p tcp -s <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
13) ipchains -A forward -p 47 -d <EXTERNAL IP ADDRESS> -j ACCEPT
14) ipchains -A forward -p 47 -s <EXTERNAL IP ADDRESS> -j ACCEPT
My interpertation is that any packet that shows up on the
outside interface will be allowed through the firewalling
system, and is vulnerable to spoofing. Is this so?
I added these rules with an -I to put them at the top of the list:
ipchains -I input -s <internal network> -i <ext interface> -j DENY
ipchains -I input -d <internal network> -i <ext interface> -j DENY
Packets that show up on the external interface with a destination or
source of the internal network gets denied.
Is there anything else that I should be looking for? Currently this
box is only there to handle the PPTP duties.
thanks,
Geoff Nordli
More information about the pptp-server
mailing list