[strongSwan] firewall issue?

Dennis Jacobfeuerborn dennisml at conversis.de
Mon Jul 4 12:53:32 CEST 2016


On 04.07.2016 09:33, Harald Dunkel wrote:
> PS: I found out a little bit more. If there is a new connection
> initiated by a road warrior, then /var/log/messages shows me
> 
> Jul  4 08:55:03 srvl047 kernel: [73014.164939] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=23018 PROTO=UDP SPT=50374 DPT=53 LEN=47
> Jul  4 08:55:03 srvl047 kernel: [73014.164948] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=21954 PROTO=UDP SPT=62524 DPT=53 LEN=47
> Jul  4 08:55:03 srvl047 kernel: [73014.165334] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=383 PROTO=UDP SPT=64310 DPT=53 LEN=46
> Jul  4 08:55:03 srvl047 kernel: [73014.165340] iptables-dropped: IN=eth0 OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=41664 PROTO=UDP SPT=50876 DPT=53 LEN=46
> Jul  4 08:55:03 srvl047 vpn: + C=DE, O=example AG, OU=TI, CN=ppcm026.ws.example.com 172.19.97.87/32 == 5.145.142.13 -- 5.145.142.17 == 172.19.96.0/19
> 
> I know that the sequence in the log file might not match the
> actual sequence of events, but I wonder if there could be a
> race condition?
> 
> Is there some way to introduce an artificial "new connection
> delay" for the very first packages to give the firewall some
> time to come up?
> 
> https://wiki.strongswan.org/projects/strongswan/wiki/Updown
> suggests to introduce global iptable entries instead of
> setting leftfirewall=yes. Both source and destination address
> in the "iptables-dropped" lines are valid on eth1 (the
> internal side) only. I wouldn't like to support global
> forward rules between eth0 and eth1. Maybe there is a way to
> introduce a virtual network device to be used exclusively for
> the VPN payload, instead of eth0?

I'm not sure what your objection is to creating the same rules
permanently (which the page seems to call "global") that the updown
script create dynamically anyway?

Regards,
  Dennis



More information about the Users mailing list