On 02/21/15 04:58, Paul Smith wrote: > On Fri, Feb 20, 2015 at 7:27 PM, Gordon Messmer > <gordon.mess...@gmail.com> wrote: >>> The truth, Gordon, is that after changing the firewall configuration >>> as described in the referred site, the issue was fixed. >> >> Yes, I understand that. But it sounds like GRE was allowed previously >> because it was "RELATED" to the pptp TCP connection before a kernel upgrade, >> but afterward it required a rule to allow it unconditionally (which is bad). >> >> I can't test that because I don't have any PPTP servers available, because >> PPTP is very bad security-wise. >> >> It would be useful to remove the rules that you added and verify that the >> PPTP connection fails. Then, boot an older kernel which was known to >> previously work and test the connection. If it works, then there's a kernel >> bug that should be reported. > Thanks, Gordon, for your reply. > > If the issue is caused by the kernel, cannot one speculate that is > deliberated in order to increase security? As Rick has just suggested, > one can restrict the GRE service to certain IPs, while allowing the > GRE service globally would leave the computer less secure (as the > older versions of kernels did, if your suspicion is correct). > > Paul
I don't use PPTP either, but it would seem worthwhile to file a bugzilla for completeness. -- If you can't laugh at yourself, others will gladly oblige. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
