Note on Firewall

Sun, 23 Jun 2013 16:29:17 -0700 

Jamin
I've been using your firewall script for years, and have established a major superstructure around it. Thank you so very much for a reliable and easy to use interface to iptables. 

In your script, there's a sequence :

   #Check for spoofing protection
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
     for f in /proc/sys/net/ipv4/conf/*/rp_filter
       do
        if [ 1 != "`cat $f`" ]; then
          echo "No Spoofing Protection - Set " $f " = 1"
        fi
       done
    else
       echo "Kernel does not have spoofing protection support"
       exit 1
    fi




In the environment I'm running in, I think that test is too 
inclusive.  When I add a PoPToP server (or other VPN server), the 
global setting of rp_filter=1 means that my vpn client cannot see my 
internal network.  I am not sure why this is true, but when I turned 
it off for my PoPToP connection (known as ppp0), I could see my 
internal machines from my PPTP connection.



I'm playing with Openswan now, and their advice to turn "rp_filter" 
off caused me to re-examine this segment of your script.



In my case, I have exactly one "unprotected" connection -- the WAN 
connection to the internet.  I am positive that I want the 
rp_filter=1 for that connection, but believe I do not want it for 
others, especially the dynamic adaptors created when a PPTP or 
OpenSwan connect is made.


In my copy of your script, I have changed the above code to read:

  #Check for spoofing protection
  # Modified by D Kurn (2013-06-23) to filter only on external interfaces
  # Assumes other interfaces are trustworthy and won't try spoofing
  #
  if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
    for EXT_INTERFACE in $EXT_INTERFACES
      do
       f=/proc/sys/net/ipv4/$EXT_INTERFACE/rp_filter
       if [ 1 != "`cat $f`" ] ; then
         echo "No Spoofing Protection on $EXT_INTERFACE - set $f = 1"
       fi
      done
  else
    echo "Kernel does not have spoofing protection support"
    exit 1
  fi




Did I do it properly?  Is this the right thing to do?

David Kurn
San Francisco

Assu


--

To UNSUBSCRIBE, email to firewall-requ...@asgardsrealm.net 
with a subject of "unsubscribe". Trouble? Contact li...@asgardsrealm.net

List archives:  http://asgardsrealm.net/lurker/splash/index.html















    











					Reply via email to