[Openswan Users] RDP from internal NET to VPN client fails, and some other strangness..

dashnu dashnu at gmail.com
Mon Nov 20 14:40:34 EST 2006


On Nov 20, 2006, at 12:19 PM, Paul Wouters wrote:

> On Mon, 20 Nov 2006, dashnu wrote:
>> Still no luck. I have done the following things.
> that's correct:
>> Input:
>> # ICMP
>> $IPT -N icmp-traffic
>> $IPT -A icmp-traffic -p icmp --fragment -j DROP
>> $IPT -A icmp-traffic -p icmp --icmp-type echo-reply -m limit \
>> --limit 1/s -j ACCEPT
>> $IPT -A icmp-traffic -p icmp --icmp-type echo-request -m limit \
>> --limit 1/s -j ACCEPT
>> $IPT -A icmp-traffic -p icmp --icmp-type time-exceeded -m limit \
>> --limit 1/s -j ACCEPT
>> $IPT -A icmp-traffic -p icmp --icmp-type fragmentation-needed -m  
>> limit \
>> --limit 1/s -j ACCEPT
>> $IPT -A icmp-traffic -p icmp -j DROP
> http://www.znep.com/~marcs/mtu/

I read this. As of now I feel my pmtu should be working as expected.
>> Limit should keep me out of trouble as far DOS attacks go.. and I  
>> would
>> imagine this limit would not interrupt regular use.
> It wont help you against DOS attacks. Sure, on DOS attacks using  
> ICMP. But
> any other DOS attack still hits you.

Of course.
> Don't filter ICMP. Especially not when your have your /proc  
> settings to
> disable all source courting and redirection icmps anyway.

for input output & forward I now allow icmp.

I run into the exact same issue. The only thing I think it can be now  
is the client on the other ends router.

> Paul

Thanks Paul, Any other ideas always welcome.

More information about the Users mailing list