extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 09:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Document hack to work around L2TP vulnerability

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8408 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-04-09 21:33:10 +00:00
parent 699571a083
commit 94113e0312
1 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
docs/IPSEC-2.6.xml
View File

@ -786,20 +786,26 @@ all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
<para>The final step is to modify your rules file. There are two important <para>The final step is to modify your rules file. There are three
components. First, you must allow the l2tp traffic to reach the xl2tpd important components. First, you must allow the l2tp traffic to reach the
process running on the firewall machine. Second, you must add rules to xl2tpd process running on the firewall machine. Second, you must add rules
open up ports on the firewall to the road warrior for services which are to open up ports on the firewall to the road warrior for services which
running on the firewall. For example, if you are running a webserver on are running on the firewall. For example, if you are running a webserver
the firewall that must be accessible to road warriors. The reason for the on the firewall that must be accessible to road warriors. The reason for
second step is that the policy does not by default allow unrestricted the second step is that the policy does not by default allow unrestricted
access to the firewall itself.</para> access to the firewall itself. Finally, you should protect an exploit
where an attacker can exploit your LT2P server do to a hole in the way
that L2TP interacts with UDP connection tracking.</para>
<blockquote> <blockquote>
<para><filename>/etc/shorewall/rules</filename>:</para> <para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE <programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S) # PORT(S) PORT(S)
SECTION ESTABLISHED
# Prevent IPSEC bypass by hosts behind a NAT gateway
L2TP/REJECT net $FW
REJECT $FW net udp - 1701
# l2tp over the IPsec VPN # l2tp over the IPsec VPN
ACCEPT vpn $FW udp 1701 ACCEPT vpn $FW udp 1701
# webserver that can only be accessed internally # webserver that can only be accessed internally