mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 15:48:56 +01:00
Document hack to work around L2TP vulnerability
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8408 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
699571a083
commit
94113e0312
@ -786,20 +786,26 @@ all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>The final step is to modify your rules file. There are two important
|
||||
components. First, you must allow the l2tp traffic to reach the xl2tpd
|
||||
process running on the firewall machine. Second, you must add rules to
|
||||
open up ports on the firewall to the road warrior for services which are
|
||||
running on the firewall. For example, if you are running a webserver on
|
||||
the firewall that must be accessible to road warriors. The reason for the
|
||||
second step is that the policy does not by default allow unrestricted
|
||||
access to the firewall itself.</para>
|
||||
<para>The final step is to modify your rules file. There are three
|
||||
important components. First, you must allow the l2tp traffic to reach the
|
||||
xl2tpd process running on the firewall machine. Second, you must add rules
|
||||
to open up ports on the firewall to the road warrior for services which
|
||||
are running on the firewall. For example, if you are running a webserver
|
||||
on the firewall that must be accessible to road warriors. The reason for
|
||||
the second step is that the policy does not by default allow unrestricted
|
||||
access to the firewall itself. Finally, you should protect an exploit
|
||||
where an attacker can exploit your LT2P server do to a hole in the way
|
||||
that L2TP interacts with UDP connection tracking.</para>
|
||||
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||
# PORT(S) PORT(S)
|
||||
SECTION ESTABLISHED
|
||||
# Prevent IPSEC bypass by hosts behind a NAT gateway
|
||||
L2TP/REJECT net $FW
|
||||
REJECT $FW net udp - 1701
|
||||
# l2tp over the IPsec VPN
|
||||
ACCEPT vpn $FW udp 1701
|
||||
# webserver that can only be accessed internally
|
||||
|
Loading…
Reference in New Issue
Block a user