[Openswan Users] Firewall rules for openswan behind NAT

Thu Nov 21 18:24:06 UTC 2013

net.ipv4.ip_forward=1 is present, net.ipv4.conf.default.rp_filter is set to 1, not 0.  None of the other values are in the file.

Could you please help me understand what those values do?

-----Original Message-----
From: users-bounces at lists.openswan.org [mailto:users-bounces at lists.openswan.org] On Behalf Of Paul Wouters
Sent: Thursday, November 21, 2013 12:09 PM
To: users at openswan.org
Subject: Re: [Openswan Users] Firewall rules for openswan behind NAT

On Thu, 21 Nov 2013, Fred Weston wrote:

[ cut fred from reply, as it generates errors - guess he might see this on the list itself ]

> Each openswan box does only have one interface.  On that interface it has a 10.x.x.x IP address which serves as both access to the local subnet as well as Internet access via 1:1 NAT to a public IP.

Then check your /etc/sysctl.conf settings to ensure they contain:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1

The linux kernel with xfrm is known to do really stupid icmp redirects when used with only a single interface.

Paul
--
Libreswan Developer - https://libreswan.org/ Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No employee is authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You.