[Openswan Users] Blocking udp 1701 from outside on 2.6.26 (netkey)
Willie Gillespie
wgillespie+openswan at es2eng.com
Mon Oct 11 19:02:38 EDT 2010
The way I've commonly done this is to allow traffic to udp/1701 if it is
encapsulated in IPsec, but then block (either explicitly or by default
depending on the rest of your firewall set up)
-A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
-A INPUT -p udp --dport 1701 -j DROP
Gottfried Haider wrote:
> Hello all,
>
> I was wondering how one can go to prevent the xl2tpd from being
> accessible to the outside world while still retaining the
> l2tp-over-ipsec capability. My system is a virtualized server running
> a 2.6.26 kernel which I cannot modify, so changing the kernel to KLIPS
> is not an option..
>
> For the setup I largely followed
> http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/. Over at
> Jacco de Leeuw's page [1] I read about the issue - unfortunately many
> of the pointers he gives of how to fix this ain't working anymore.
>
> What's the proper way to fix this nowadays? (I checked with nmap, port
> 1701 is indeed open|filtered.)
>
> regards,
> Gottfried
>
> [1] http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list