Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSEFirewall2, FreeS/WAN and VPN
  • From: Markus Koellner <smshomey@xxxxxx>
  • Date: Mon, 21 Jan 2002 12:10:18 +0100
  • Message-id: <5.1.0.14.2.20020121113521.031c1050@xxxxxxxxxxx>

> You must disable IP spoofing protection for ipsec to work properly.

Could you explain "must"? Under what circumstances is this
necessary? I have working VPN GWs with enabled rp_filter.

It *can* cause problems and maybe for you it is none
but there is a risk.

217.13.4.32 0.0.0.0 255.255.255.0 U 0 0 0 eth1
217.13.4.32 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0

rp_filter authorizes the first route it can find which is on the eth1
interface in this example.
But what about changing the sequence by bringing eth1 down
and up again?
This causes trouble for rp_filter.

Bye
Markus


< Previous Next >