[pptp-server] ipchains rules assessment
tmk
tmk at netmagic.net
Fri Oct 22 18:46:36 CDT 1999
if you choose your internal network numbers from the known reserved ranges
(ie 192.168.0.* or 172.16.*.*, etc) then you wont have to worry about
packets in or out of your external network, since the routers on the net
wont forward them. But it's a good idea to be safe. Just in case, i have a
rule:
ipchains -I output -s <internal net/netmask> -i <ext i/f> -j REJECT
which prevents packets from inside getting out by accident.
On Fri, 22 Oct 1999, Geoff Nordli wrote:
> Are these rules really safe:
>
> 1) #### SET DEFAULT RULES TO DENY
> 2) /sbin/ipchains -P input DENY
> 3) /sbin/ipchains -P forward DENY
> 4) #### ALLOW ALL PORTS ON THE INTERNAL INTERFACE
> 5) ipchains -A input -s <INTERNAL IP ADDRESS>/24 -j ACCEPT
> 6) ipchains -A forward -s <INTERNAL IP ADDRESS>/24 -j ACCEPT
> 7) #### ALLOW AND FORWARD INCOMING VPN PACKETS
> 8) ipchains -A input -p tcp -d <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
> 9) ipchains -A input -p 47 -d <EXTERNAL IP ADDRESS> -j ACCEPT
> 10) ipchains -A forward -p tcp -d <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
> 11) ipchains -A forward -p tcp -s <EXTERNAL IP ADDRESS> 1723 -j ACCEPT
> 13) ipchains -A forward -p 47 -d <EXTERNAL IP ADDRESS> -j ACCEPT
> 14) ipchains -A forward -p 47 -s <EXTERNAL IP ADDRESS> -j ACCEPT
>
> My interpertation is that any packet that shows up on the
> outside interface will be allowed through the firewalling
> system, and is vulnerable to spoofing. Is this so?
no, only packets with proto 47 (GRE) or on TCP port 1723 will be allowed
through teh firewalling, since anything that doesnt match the above will
get denied. Anything on internal interfaces will be allowed.
Kevin
More information about the pptp-server
mailing list