Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld

On 01.03.2017 17:11, Thomas Haller wrote:
On Wed, 2017-03-01 at 08:07 +0100, poma wrote:
From 28b7713cda1deba1b54bd9e52b0d62716e356b66 Mon Sep 17 00:00:00
From: poma <poma gmail com>
Date: Wed, 1 Mar 2017 07:05:40 +0100
Subject: [PATCH] nm-pptp-service: Grant proto GRE by firewalld.

With recent kernels, the Poptop - The PPTP Server for Linux (pptpd)
explicit load of nf_conntrack_pptp kernel module to achieve the
operating state of the service itself.
However this is not the case with the PPTP Client (pptp) on a Linux
based platform.
What is needed is to apply directly, rule within the firewalld, to
grant proto gre,
to achieve the operating state of the client itself.


Hi poma,

the patch does two things. I think there should be two patches for it.

1) drop loading the kernel module "nf_conntrack_pptp". The patch
basically reverts
but it's not explained why that is correct beyond "this is not the case
with...". It should be explained better whats wrong with 695d4f2f
and how that affects the two bugs that were closed by it. Will the issue
reapar, or was there a different issue in the first place?

Here, just for you, once again ;)

by By Ryan Roth
"Troubleshooting 'GRE: Protocol not available' errors"
#1. Client firewall:
"Make sure your client is not running a software firewall. If it is make sure port 1723 and protocol 47 are 

Port 1723 is not a problem, but proto GRE is, meaning,
to achieve the operating state of the client itself,
"protocol 47 must be allowed" i.e. "grant proto gre".

2) call to firewallcmd. firewalld is commonly only available on
Fedora/RHEL, thus patch would cause a warning on Debian systems...
You would at least need to check whether such a binary file exists and
only call it if necessary.

I am a user of the Fedora - a Linux based operating system.
"Choose Freedom. Choose Fedora."

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]