mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-29 02:54:18 +01:00
Document hack to work around L2TP vulnerability
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8408 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
699571a083
commit
94113e0312
@ -786,20 +786,26 @@ all all REJECT info
|
|||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>The final step is to modify your rules file. There are two important
|
<para>The final step is to modify your rules file. There are three
|
||||||
components. First, you must allow the l2tp traffic to reach the xl2tpd
|
important components. First, you must allow the l2tp traffic to reach the
|
||||||
process running on the firewall machine. Second, you must add rules to
|
xl2tpd process running on the firewall machine. Second, you must add rules
|
||||||
open up ports on the firewall to the road warrior for services which are
|
to open up ports on the firewall to the road warrior for services which
|
||||||
running on the firewall. For example, if you are running a webserver on
|
are running on the firewall. For example, if you are running a webserver
|
||||||
the firewall that must be accessible to road warriors. The reason for the
|
on the firewall that must be accessible to road warriors. The reason for
|
||||||
second step is that the policy does not by default allow unrestricted
|
the second step is that the policy does not by default allow unrestricted
|
||||||
access to the firewall itself.</para>
|
access to the firewall itself. Finally, you should protect an exploit
|
||||||
|
where an attacker can exploit your LT2P server do to a hole in the way
|
||||||
|
that L2TP interacts with UDP connection tracking.</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
|
||||||
# PORT(S) PORT(S)
|
# PORT(S) PORT(S)
|
||||||
|
SECTION ESTABLISHED
|
||||||
|
# Prevent IPSEC bypass by hosts behind a NAT gateway
|
||||||
|
L2TP/REJECT net $FW
|
||||||
|
REJECT $FW net udp - 1701
|
||||||
# l2tp over the IPsec VPN
|
# l2tp over the IPsec VPN
|
||||||
ACCEPT vpn $FW udp 1701
|
ACCEPT vpn $FW udp 1701
|
||||||
# webserver that can only be accessed internally
|
# webserver that can only be accessed internally
|
||||||
|
Loading…
Reference in New Issue
Block a user