[Openswan Users] RDP from internal NET to VPN client fails, and some other strangness..
dashnu
dashnu at gmail.com
Mon Nov 20 14:40:34 EST 2006
Hello.
On Nov 20, 2006, at 12:19 PM, Paul Wouters wrote:
> On Mon, 20 Nov 2006, dashnu wrote:
>
>
>> Still no luck. I have done the following things.
>
> that's correct:
>
>> Input:
>> # ICMP
>> $IPT -N icmp-traffic
>> $IPT -A icmp-traffic -p icmp --fragment -j DROP
>> $IPT -A icmp-traffic -p icmp --icmp-type echo-reply -m limit \
>> --limit 1/s -j ACCEPT
>> $IPT -A icmp-traffic -p icmp --icmp-type echo-request -m limit \
>> --limit 1/s -j ACCEPT
>> $IPT -A icmp-traffic -p icmp --icmp-type time-exceeded -m limit \
>> --limit 1/s -j ACCEPT
>> $IPT -A icmp-traffic -p icmp --icmp-type fragmentation-needed -m
>> limit \
>> --limit 1/s -j ACCEPT
>> $IPT -A icmp-traffic -p icmp -j DROP
>
> http://www.znep.com/~marcs/mtu/
I read this. As of now I feel my pmtu should be working as expected.
>
>> Limit should keep me out of trouble as far DOS attacks go.. and I
>> would
>> imagine this limit would not interrupt regular use.
>
> It wont help you against DOS attacks. Sure, on DOS attacks using
> ICMP. But
> any other DOS attack still hits you.
Of course.
>
> Don't filter ICMP. Especially not when your have your /proc
> settings to
> disable all source courting and redirection icmps anyway.
>
for input output & forward I now allow icmp.
I run into the exact same issue. The only thing I think it can be now
is the client on the other ends router.
> Paul
Thanks Paul, Any other ideas always welcome.
More information about the Users
mailing list