From: Paul T. <ps...@ps...> - 2006-01-29 17:26:37
|
I don't have pptpd working yet on the firewall (it's crashing on tcp connect), but I've been looking at the obsolete shorewall documentation for running pptpd on the local firewall itself. In my situation, I have ppp0 in my net zone, because that is my link to the outside world (pppoe, thank you SBC :-( ). I plan to have a few pptp tunnels coming into the firewall, which will be in the loc zone, and pptp will be set up in a proxyarp configuration on the local lan. I know the zones need to be ordered, and they are, but the following bit worries me... I have rules like FORWARD that have snippets in them: Chain FORWARD (policy DROP 28 packets, 3746 bytes) target prot opt in out source destination TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU eth0_fwd all -- eth0 any anywhere anywhere eth1_fwd all -- eth1 any anywhere anywhere eth2_fwd all -- eth2 any anywhere anywhere ath0_fwd all -- ath0 any anywhere anywhere ppp0_fwd all -- ppp0 any anywhere anywhere ppp_fwd all -- ppp+ any anywhere anywhere Reject all -- any any anywhere anywhere ULOG all -- any any anywhere anywhere reject all -- any any anywhere anywhere ppp0 will be processed for all packets being forwarded by ppp0 (which is in net)... but if none of the rules in net2<whatever> actually trigger, then this rule falls through to the ppp+ rule, which will get the loc2<whatever> rules, which are obviously less restrictive. This can't be allowed to happen. Is there any "polite" way in shorewall to introduce a rule at the start of ppp_fwd, ppp_in, and ppp_out to do a "RETURN" if the interface in question is ppp0, or better yet, is there a syntax I can use in iptables/shorewall to say ppp+,!ppp0 so the ppp_in/out/fwd rules never even get called? Tom, should I be using hosts syntax at this point? If so, got any suggestions (I only have one small range of IP addresses that are in the pptp pool). Paul |