'Re: Problems with PPtP client behind 3.1-current machine'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: Problems with PPtP client behind 3.1-current machine
From:       "Robert S." <robert () mrsquirrel ! com>
Date:       2002-04-30 16:32:47
[Download RAW message or body]

pass out quick on $ext_if proto gre from $arena to $flater


the TCP control channel is allowed in your default pass out all TCP
traffic rule, but GRE isn't TCP, UDP, or ICMP, so it needs it's own pass
rules.  

To get this working for multiple clients behind this firewall I believe
you need to recompile your kernel without GRE in it (although that might
be old information).  When you look at your pflog, it should be saying
that the GRE traffic is being dropped by (what looks like) rule 2.  HTH.


> -----Original Message-----
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] 
> On Behalf Of Alex Slok
> Sent: Monday, April 29, 2002 4:03 PM
> To: OpenBSD List
> Subject: Problems with PPtP client behind 3.1-current machine
> 
> 
> Hi all,
> 
> I have a question concerning a PPtP client behind a 
> 3.1-current machine doing NAT. Below is my /etc/pf.conf and 
> for now it's working great. the only problem is connecting to 
> my company's PPtP server.
> 
> When I change the pf.conf to the default ruleset => pass in 
> all, pass out all, everything is working fine, but with the 
> below shown configuration I get stuck on "Verifying username 
> and password".
> 
> Can anyone tell me if I made a mistake or a typo of some 
> kind, or do I have to make some special rule for allowing GRE 
> packets into my gateway ? I have a rule for GRE, but that 
> doesn't seem to work :)
> 
> Greetz,
> 
> Alex
> 
> 
> # /etc/pf.conf
> 
> # Useful variables
>   ftp-proxy="{ 55000 >< 57000 }"        # Proxyed port range 
> for Active FTP
> proxy
>   ext_if="ne3"                                        # 
> External Interface
>   int_if="ep1"                                         # 
> Internal Interface
>   sorlag="192.168.2.3"                           # Local 
> OpenBSD Server
>   arena="192.168.2.5"                            # Windows XP 
> Client (VPN
> Client)
>   reznor="192.168.2.6"                           # My wife's 
> Windows 98se
> Machine :)
>   flater="x.x.x.x"                                    # 
> Companies VPN (PPtP)
> Server
>   tcpstatepolicy ="keep state"
> 
> # Rule for Active FTP Proxy
>   pass in quick on $ext_if proto tcp from any port 20 to \
>   $ext_if port $ftp-proxy flags S/SA $tcpstatepolicy
> 
> # Default policy.  The inet keyword means only ipv4.
>   block             out log on $ext_if           all
>   block             in      on $ext_if           all
>   block return-rst  out log on $ext_if proto tcp all
>   block return-rst  in      on $ext_if proto tcp all
>   block return-icmp out log on $ext_if proto udp all
>   block return-icmp in      on $ext_if proto udp all
> 
> # silently drop broadcasts (cable modem noise)
>   block in quick on $ext_if from any to 255.255.255.255
> 
> # Not yet functional in this release of pf. It would drop all 
> broadcasts. # block in quick on $ext_if from any to 
> 255.255.255.255/0.0.0.255
> 
> # Reserved.
>   block in quick on $ext_if from { 192.168.0.0/16, 172.16.0.0/12, \
>   10.0.0.0/8, 127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
>   204.152.64.0/23, 224.0.0.0/3, 20.20.20.0/24, 
> 255.255.255.255 } to any
> 
> # block and log outgoing packets that don't have our address 
> as source.
>   block out log quick on $ext_if from ! $ext_if to any
> 
> # ICMP error messages are handled by the TCP/UDP states.
>   pass out on $ext_if inet proto icmp all icmp-type 8 code 0 
> $tcpstatepolicy
>   pass in  on $ext_if inet proto icmp all icmp-type 8 code 0 
> $tcpstatepolicy
> 
> # pass out all UDP connections and keep state
>   pass out on $ext_if proto udp all $tcpstatepolicy
> 
> # Allow outgoing DNS requests.
>   pass in quick proto udp from any to any port 53 $tcpstatepolicy
> 
> # pass out all TCP connections and keep state/modulate state.
>   pass out on $ext_if proto tcp all $tcpstatepolicy
> 
> # block TCP flag combinations used in scanning and OS identification
>   block in quick on $ext_if inet proto tcp all flags SF/SFRA
>   block in quick on $ext_if inet proto tcp all flags /SFRA
>   block in quick on $ext_if inet proto tcp all flags F/SFRA
>   block in quick on $ext_if inet proto tcp all flags U/SFRAU
>   block in quick on $ext_if inet proto tcp all flags P
> 
> # Allow various services provided by the Internal LAN
>   pass in quick on $ext_if proto tcp from any to $ext_if port 
> 22 $tcpstatepolicy
>   pass in quick on $ext_if proto gre from $flater to $arena
>   pass in quick on $ext_if proto tcp from any to $arena port 
> 3389 $tcpstatepolicy
>   pass in quick on $ext_if proto tcp from any to $reznor port 
> 48990 $tcpstatepolicy
>   pass in quick on $ext_if proto tcp from any to $arena port 
> 21 $tcpstatepolicy
>   pass in quick on $ext_if proto tcp from any to $sorlag port 
> 3782 $tcpstatepolicy
>   pass in quick on $ext_if proto udp from any to $sorlag port 3783
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic