Document hack to work around L2TP vulnerability

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8408 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-04-09 21:33:10 +00:00
parent 699571a083
commit 94113e0312

View File

@ -786,20 +786,26 @@ all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
<para>The final step is to modify your rules file. There are two important
components. First, you must allow the l2tp traffic to reach the xl2tpd
process running on the firewall machine. Second, you must add rules to
open up ports on the firewall to the road warrior for services which are
running on the firewall. For example, if you are running a webserver on
the firewall that must be accessible to road warriors. The reason for the
second step is that the policy does not by default allow unrestricted
access to the firewall itself.</para>
<para>The final step is to modify your rules file. There are three
important components. First, you must allow the l2tp traffic to reach the
xl2tpd process running on the firewall machine. Second, you must add rules
to open up ports on the firewall to the road warrior for services which
are running on the firewall. For example, if you are running a webserver
on the firewall that must be accessible to road warriors. The reason for
the second step is that the policy does not by default allow unrestricted
access to the firewall itself. Finally, you should protect an exploit
where an attacker can exploit your LT2P server do to a hole in the way
that L2TP interacts with UDP connection tracking.</para>
<blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
SECTION ESTABLISHED
# Prevent IPSEC bypass by hosts behind a NAT gateway
L2TP/REJECT net $FW
REJECT $FW net udp - 1701
# l2tp over the IPsec VPN
ACCEPT vpn $FW udp 1701
# webserver that can only be accessed internally