[Openswan Users] Firewall rules for openswan behind NAT

Neal Murphy neal.p.murphy at alum.wpi.edu
Thu Nov 21 21:44:35 UTC 2013


On Thursday, November 21, 2013 02:44:45 PM Paul Wouters wrote:
> On Thu, 21 Nov 2013, Fred Weston wrote:
> > Date: Thu, 21 Nov 2013 13:24:06
> > From: Fred Weston <fred.weston at lpga.com>
> > To: Paul Wouters <paul at nohats.ca>, "users at openswan.org"
> > <users at openswan.org> Subject: RE: [Openswan Users] Firewall rules for
> > openswan behind NAT
> > 
> > net.ipv4.ip_forward=1 is present, net.ipv4.conf.default.rp_filter is set
> > to 1, not 0.  None of the other values are in the file.
> > 
> > Could you please help me understand what those values do?
> 
> rp_filter is a "smart" method for checking if a packet could not have
> legitimately come in through a certain interface. It gets confused when
> a decrypted packet's source ip appears "out of nowhere". It must be set
> to 0.
> 
> The redirect ones are to prevent the kernel from sending redirects ever.
> It is another stupid mechanism that gets confused by ipsec. If a packet
> comes in on a certain interface, and it would be sent out to the same
> interface, this causes a redirect to be sent - after all, why sent it to
> the host if the host just sends it back; there must be a better path.
> Of course it fails to realise the packet came in encrypted and left
> decrypted with a totally different source/dest IP.

Thanks, Paul. Such wizardry is just beyond my journeyman's skills!

N


More information about the Users mailing list