[Openswan Users] Firewall rules for openswan behind NAT
Paul Wouters
paul at nohats.ca
Thu Nov 21 17:08:56 UTC 2013
On Thu, 21 Nov 2013, Fred Weston wrote:
[ cut fred from reply, as it generates errors - guess he might see this
on the list itself ]
> Each openswan box does only have one interface. On that interface it has a 10.x.x.x IP address which serves as both access to the local subnet as well as Internet access via 1:1 NAT to a public IP.
Then check your /etc/sysctl.conf settings to ensure they contain:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
The linux kernel with xfrm is known to do really stupid icmp redirects
when used with only a single interface.
Paul
--
Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/
More information about the Users
mailing list