On Fri, Feb 20, 2015 at 7:51 PM, Rick Stevens <ricks@xxxxxxxxxxxxxx> wrote: >>> >>> The truth, Gordon, is that after changing the firewall configuration >>> as described in the referred site, the issue was fixed. >> >> >> Yes, I understand that. But it sounds like GRE was allowed previously >> because it was "RELATED" to the pptp TCP connection before a kernel >> upgrade, but afterward it required a rule to allow it unconditionally >> (which is bad). >> >> I can't test that because I don't have any PPTP servers available, >> because PPTP is very bad security-wise. >> >> It would be useful to remove the rules that you added and verify that >> the PPTP connection fails. Then, boot an older kernel which was known >> to previously work and test the connection. If it works, then there's a >> kernel bug that should be reported. > > > You could restrict permitting GRE to the IP of the VPN gateway if you > want more security, e.g. > > firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -d > <ip-addr-of-gateway> -j ACCEPT > firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p gre -d > <ip-addr-of-gateway> -j ACCEPT > firewall-cmd --reload Excellent idea, Rick! Thanks! Paul -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
