On 02/20/2015 12:58 PM, Paul Smith wrote:
If the issue is caused by the kernel, cannot one speculate that is deliberated in order to increase security? As Rick has just suggested, one can restrict the GRE service to certain IPs, while allowing the GRE service globally would leave the computer less secure (as the older versions of kernels did, if your suspicion is correct).
It might help to understand how RELATED traffic is handled. Some protocols have helpers in iptables so that when a connection will result in traffic that's not explicitly allowed, that traffic can be marked as "related" to the existing valid connection, and allowed without an explicit pre-defined rule.
For example, if you request a file by FTP, the client opens a TCP port and tells the FTP server to send the file to that port. An iptables helper can recognize that and allow the server to connect to that port, without a pre-defined rule for that server or that client port.
Likewise, when you connect to a PPTP server, the GRE packets should be related to that session, and therefore allowed. You shouldn't need to specifically allow those packets.
That's how a stateful firewall is supposed to function, and offers the best security.
Or I could be wrong and something that I'm not seeing did change in firewalld. But it's hard for me to tell, because I can't readily boot an old kernel and connect to a PPTP server in order to determine if a kernel change is the cause.
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
