Re: [PATCH] nm-pptp-service: Grant proto GRE by firewalld





On Wed, Mar 1, 2017 at 6:14 PM poma <pomidorabelisima gmail com> wrote:
On 01.03.2017 17:11, Thomas Haller wrote:
> On Wed, 2017-03-01 at 08:07 +0100, poma wrote:
>> From 28b7713cda1deba1b54bd9e52b0d62716e356b66 Mon Sep 17 00:00:00
>> 2001
>> From: poma <poma gmail com>
>> Date: Wed, 1 Mar 2017 07:05:40 +0100
>> Subject: [PATCH] nm-pptp-service: Grant proto GRE by firewalld.
>>
>> With recent kernels, the Poptop - The PPTP Server for Linux (pptpd)
>> requires
>> explicit load of nf_conntrack_pptp kernel module to achieve the
>> operating state of the service itself.
>> However this is not the case with the PPTP Client (pptp) on a Linux
>> based platform.
>> What is needed is to apply directly, rule within the firewalld, to
>> grant proto gre,
>> to achieve the operating state of the client itself.
>>
>> Ref.
>> https://bugzilla.redhat.com/show_bug.cgi?id=1187328
>> https://bugzilla.redhat.com/show_bug.cgi?id=1214643
>
> Hi poma,
>
> the patch does two things. I think there should be two patches for it.
>
> 1) drop loading the kernel module "nf_conntrack_pptp". The patch
> basically reverts
> https://git.gnome.org/browse/network-manager-pptp/commit/?id=695d4f2f3d1003e18be6f97bbb103e44f75d3c2b
> but it's not explained why that is correct beyond "this is not the case
> with...". It should be explained better whats wrong with 695d4f2f
> and how that affects the two bugs that were closed by it. Will the issue
> reapar, or was there a different issue in the first place?
>

Here, just for you, once again ;)

by By Ryan Roth
6/07/2005
"Troubleshooting 'GRE: Protocol not available' errors"
http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml
#1. Client firewall:
"Make sure your client is not running a software firewall. If it is make sure port 1723 and protocol 47 are allowed."

Port 1723 is not a problem, but proto GRE is, meaning,
to achieve the operating state of the client itself,
"protocol 47 must be allowed" i.e. "grant proto gre".

> 2) call to firewallcmd. firewalld is commonly only available on
> Fedora/RHEL, thus patch would cause a warning on Debian systems...
> You would at least need to check whether such a binary file exists and
> only call it if necessary.
>

I am a user of the Fedora - a Linux based operating system.
"Choose Freedom. Choose Fedora."

Well, even in Fedora firewalld is not guarantied to be installed. And even if its installed its not guarantied to be used/running.
So blindly using firewall-cmd is wrong on any Linux distro.

Jeka
  



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]