[Openswan Users] L2TP/IPSEC & DSL ppp interface assignment
trevor-os at thennion.demon.co.uk
Mon Mar 14 08:10:37 CET 2005
On Monday 14 Mar 2005 02:36, Lewis Shobbrook wrote:
> Thanks for the reply Paul
> > > connection that traditionally occupies the ppp0 device and is
> > > firewalled in reference to this drops out. In the mean
> > time while the
> > > connection is down we get an L2TP/IPSEC VPN connection
> > coming in which
> > > then occupies the ppp0, when the DSL service comes back online it
> > > takes the next available ppp interface such as ppp1. The
> > firewall is
> > > configured differently for this connection and this can
> > cause service
> > > and security issues. Is there anyway to assign or reserve the ppp
> > > interface to prevent this from happening?
> > I believe you can use 'ppp+' in iptables to denoate 'any ppp device'.
> The issue is being able to apply differentiated rules.
> One being a DSL connection which requires heavy restrictions while the
> l2tp require mostly open rules.
> If the rules are applied universally against the generic ppp device,
> with differentiation based on source IP range and ! (not) from source
> IP range, then with revese path filtering off, you'd be increasing your
> security risks. It does solve one problem though.
The ip-up script is called - after ppp has established a connection - with the
Local-IP, Remote-IP the Interface-Name etc. On a RedHat box these parameters
are passed to ip-up.local. You could use that to determine what firewall
rules should be set. If after the link comes up you modify or replace a
restrictive set of rules that might help you.
More information about the Users