[strongSwan] firewall issue?
harald.dunkel at aixigo.de
Mon Jul 4 16:07:16 CEST 2016
On 07/04/16 12:53, Dennis Jacobfeuerborn wrote:
> I'm not sure what your objection is to creating the same rules
> permanently (which the page seems to call "global") that the updown
> script create dynamically anyway?
The concern is to open a potential door for an intruder.
The default _updown script creates very "picky" rules,
giving just a single IP address on eth0 access to eth1.
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4723 548K ACCEPT all -- eth0 * 172.19.97.60 172.19.96.0/19 policy match dir in pol ipsec reqid 275 proto 50
9880 11M ACCEPT all -- * eth0 172.19.96.0/19 172.19.97.60 policy match dir out pol ipsec reqid 275 proto 50
I wouldn't like to replace the single IP address on eth0
by large subnets without need.
The problem is that eth0 has been reused for the decoded
traffic. The iptables entries about eth0 affect both
the connection to the internet as well as the connection
to the road warriors. If we want to let the road warriors
in but keep the rest of the internet out, then we end up
with separate iptables entries for each road warrior.
If there would be a dedicated network interface xyz0
for decoded traffic without connection to eth0, then the
iptables entries for the connection to the road warriors'
laptops could be kept separate from the internet connection.
We could open 172.19.97.0/24 on xyz0 without opening this
network on eth0.
More information about the Users