From: "Kerin Millar" <kfm@plushkava.net>
To: "Martin Brampton" <martin@black-sheep-research.com>,
netfilter@vger.kernel.org
Subject: Re: VPN nftables
Date: Fri, 11 Oct 2024 10:02:06 +0100 [thread overview]
Message-ID: <afa35ef5-37d3-42f4-a429-3c63d99a189e@app.fastmail.com> (raw)
In-Reply-To: <a6bd13dd-5536-4aed-93e3-51b14012bb57@mtasv.net>
On Fri, 11 Oct 2024, at 7:40 AM, Martin Brampton wrote:
> Thanks, I'm sure that makes sense. But I'm on the point of abandoning
> the use of nftables with openvpn. I've already spent several days on
> this. Other servers (about 15 in all) are running with nftables, and I
> would prefer total consistency, but not at any price.
>
> When I say can't access any services, I mean literally that. I can
> create a new server, install openvpn, connect to it and use services
> like ssh, mosh, https, imaps... And I can do that with an iptables firewall.
>
> But as soon as I add nftables (removing iptables) and connect to the
> server as a VPN, mosh sessions stop, web access ceases, mail access
> ceases. Given that the ruleset opens all output ports, on the face of
> it, that should not happen.
>
> And from that point I cannot find any way back to a working VPN server,
> which makes testing harder, and is disastrous for a live VPN server.
I take it that there is no out-of-band management system in place for the affected server? If so, you might consider whether the kernel is panicking. Given the use of Debian 12, it would be surprising but by no means impossible.
You can test rulesets more safely by using tmux or GNU screen and running "nft -f /path/to/ruleset; sleep 10; nft flush ruleset". Assuming that you are able to access the server after the ruleset has been flushed, there would be no practical impediment to tracing as a debugging method.
--
Kerin Millar
prev parent reply other threads:[~2024-10-11 9:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-10 16:18 VPN nftables Martin Brampton
2024-10-10 16:47 ` Daniel
2024-10-10 19:25 ` Martin Brampton
2024-10-10 19:56 ` Kerin Millar
2024-10-11 6:40 ` Martin Brampton
2024-10-11 7:34 ` Reindl Harald
2024-10-11 7:47 ` Martin Brampton
2024-10-11 9:02 ` Kerin Millar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afa35ef5-37d3-42f4-a429-3c63d99a189e@app.fastmail.com \
--to=kfm@plushkava.net \
--cc=martin@black-sheep-research.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).