Jamin
I've been using your firewall script for years, and have established
a major superstructure around it. Thank you so very much for a
reliable and easy to use interface to iptables.
In your script, there's a sequence :
#Check for spoofing protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
if [ 1 != "`cat $f`" ]; then
echo "No Spoofing Protection - Set " $f " = 1"
fi
done
else
echo "Kernel does not have spoofing protection support"
exit 1
fi
In the environment I'm running in, I think that test is too
inclusive. When I add a PoPToP server (or other VPN server), the
global setting of rp_filter=1 means that my vpn client cannot see my
internal network. I am not sure why this is true, but when I turned
it off for my PoPToP connection (known as ppp0), I could see my
internal machines from my PPTP connection.
I'm playing with Openswan now, and their advice to turn "rp_filter"
off caused me to re-examine this segment of your script.
In my case, I have exactly one "unprotected" connection -- the WAN
connection to the internet. I am positive that I want the
rp_filter=1 for that connection, but believe I do not want it for
others, especially the dynamic adaptors created when a PPTP or
OpenSwan connect is made.
In my copy of your script, I have changed the above code to read:
#Check for spoofing protection
# Modified by D Kurn (2013-06-23) to filter only on external interfaces
# Assumes other interfaces are trustworthy and won't try spoofing
#
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for EXT_INTERFACE in $EXT_INTERFACES
do
f=/proc/sys/net/ipv4/$EXT_INTERFACE/rp_filter
if [ 1 != "`cat $f`" ] ; then
echo "No Spoofing Protection on $EXT_INTERFACE - set $f = 1"
fi
done
else
echo "Kernel does not have spoofing protection support"
exit 1
fi
Did I do it properly? Is this the right thing to do?
David Kurn
San Francisco
--
To UNSUBSCRIBE, email to firewall-requ...@asgardsrealm.net
with a subject of "unsubscribe". Trouble? Contact li...@asgardsrealm.net
List archives: http://asgardsrealm.net/lurker/splash/index.html