[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openswan-users
Subject:    Re: [Openswan Users] anything wrong with these iptables?
From:       Tuomo Soini <tis () foobar ! fi>
Date:       2010-07-19 9:32:16
Message-ID: 4C441BA0.3080207 () foobar ! fi
[Download RAW message or body]

Paul Wouters wrote:
> On Thu, 15 Jul 2010, Ryan McLeod wrote:
> 
> > I'm having some minor problems when a vpn re-establishes after one of the vpn \
> > devices are rebooted. It's an ASA to openswan setup. I just want to know if these \
> > iptable settings are proper. 
> > $IPTABLES -A INPUT -p udp  --dport 500 -j ACCEPT
> > 
> > $IPTABLES -A OUTPUT -p udp  --dport 500 -j ACCEPT
> > $IPTABLES -A INPUT -p udp  --dport 4500 -j ACCEPT
> > $IPTABLES -A OUTPUT -p udp  --dport 4500 -j ACCEPT
> 
> This is not complete. the 4500 connection usually comes in from a random high port
> 
> $IPTABLES -A OUTPUT -p udp  --sport 4500 -j ACCEPT

And for nat-t initial nat-t connection to udp 500 comes from random high
port too...

-- 
Tuomo Soini <tis@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


[prev in list] [next in list] [prev in thread] [next in thread]