[Openswan Users] L2TP/IPSEC & DSL ppp interface assignment
Trevor Hennion
trevor-os at thennion.demon.co.uk
Mon Mar 14 08:10:37 CET 2005
On Monday 14 Mar 2005 02:36, Lewis Shobbrook wrote:
> Thanks for the reply Paul
>
> > > connection that traditionally occupies the ppp0 device and is
> > > firewalled in reference to this drops out. In the mean
> >
> > time while the
> >
> > > connection is down we get an L2TP/IPSEC VPN connection
> >
> > coming in which
> >
> > > then occupies the ppp0, when the DSL service comes back online it
> > > takes the next available ppp interface such as ppp1. The
> >
> > firewall is
> >
> > > configured differently for this connection and this can
> >
> > cause service
> >
> > > and security issues. Is there anyway to assign or reserve the ppp
> > > interface to prevent this from happening?
> >
> > I believe you can use 'ppp+' in iptables to denoate 'any ppp device'.
>
> The issue is being able to apply differentiated rules.
> One being a DSL connection which requires heavy restrictions while the
> l2tp require mostly open rules.
> If the rules are applied universally against the generic ppp device,
> with differentiation based on source IP range and ! (not) from source
> IP range, then with revese path filtering off, you'd be increasing your
> security risks. It does solve one problem though.
> Cheers,
>
> Lewis
The ip-up script is called - after ppp has established a connection - with the
Local-IP, Remote-IP the Interface-Name etc. On a RedHat box these parameters
are passed to ip-up.local. You could use that to determine what firewall
rules should be set. If after the link comes up you modify or replace a
restrictive set of rules that might help you.
HTH
Regards
Trevor Hennion
http://www.infocentrality.co.uk
More information about the Users
mailing list