On 02/20/2015 11:27 AM, Gordon Messmer wrote:
On 02/20/2015 10:00 AM, Paul Smith wrote:
The truth, Gordon, is that after changing the firewall configuration
as described in the referred site, the issue was fixed.
Yes, I understand that. But it sounds like GRE was allowed previously
because it was "RELATED" to the pptp TCP connection before a kernel
upgrade, but afterward it required a rule to allow it unconditionally
(which is bad).
I can't test that because I don't have any PPTP servers available,
because PPTP is very bad security-wise.
It would be useful to remove the rules that you added and verify that
the PPTP connection fails. Then, boot an older kernel which was known
to previously work and test the connection. If it works, then there's a
kernel bug that should be reported.
You could restrict permitting GRE to the IP of the VPN gateway if you
want more security, e.g.
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre
-d <ip-addr-of-gateway> -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p gre
-d <ip-addr-of-gateway> -j ACCEPT
firewall-cmd --reload
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- The light at the end of the tunnel is really an oncoming train. -
----------------------------------------------------------------------
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
