ocserv-fw script design
lance at 3t218.org
Fri May 6 05:36:26 PDT 2016
I'm trying to understand why the ocserv-fw script makes use of the
iptables INPUT chain. One would think that the FORWARD chain would be
where the script would put all of the allow/deny rules since traffic
will need to be forwarded from the tun interface to eth0 if it wants
to get out to other networks. I know that $INPUT_CHAIN can be set to
whatever I'd like, but there are several places where the INPUT chain
is hardcoded in the script.
I'd also like to understand why ocserv-fw appears to create empty
INPUT-ocserv-fw-vpns* chains which cause the rules in the INPUT chain
which reference said chains to go nowhere useful. It seems to me that
the INPUT-ocserv-fw-vpns* chains should each have a blanket allow rule
so that the rules in the INPUT (should be FORWARD?) chain which
reference them actually work.
Am I thinking about this all wrong?
Compiled with seccomp, oath, PAM, PKCS#11, AnyConnect,
GnuTLS version: 3.4.11
More information about the openconnect-devel