'pf nat + gre (pptp pass through)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    pf nat + gre (pptp pass through)
From:       Dominique Jacquel <dom () dcoded ! co ! uk>
Date:       2004-07-30 20:12:22
Message-ID: 410AABA6.2070800 () dcoded ! co ! uk
[Download RAW message or body]

hi,

I have installed a few OpenBSD firewalls in front of windows-based 
netwoks and in a few cases, there is a need to allow multiple PPTP vpn 
tunnel pass through the firewall. A typical installation require the 
firewall (single external IP) to redirect incoming PPTP connection to an 
internal server. It also requires that some client machine within the 
LAN be able to initiate PPTP connections with other sites. Currently, 
OpenBSD/PF cannot *properly* nat the GRE protocol so multiple connection 
are out of the question. By properly I mean, that there is no support 
for the callID which can be used as fake port numbers to allow multiple 
channel through. Linux 2.2 did this with the ip_masq_pptp module and I 
suppose 2.4 and 2.6 have similar masquing modules ... so it is possible! 
At present, openbsd 3.5 running on soekris 4801 is so unhappy about this 
that it very quickly crash when multiple tunnels are launched! :-(

I posted on misc@openbsd.org on the same topic a few days ago. I have 
looked at the problem a bit closer now and I am hoping to get comments 
and advice ... and hopefully a bit of flame too! :-) I have studied some 
of the pf code in search for a solution and this is the solution I am 
pondering:

Gre packet passing through never reach the gre protocol handler in 
openbsd (right?) so PF must be taught to handle gre callID stuff itself 
and use that as fake port numbers. This would involve creating gre 
specific functions such as pf_test_gre(...) and pf_test_state_gre(...) 
in pf.c. These function would read the gre header and use the callID 
values as fake dport or sport which in theory would allow nat and rdr to 
route packets to their true destination.

This is obviously a simplistic description of the work involved, but 
does this sound like the right way to go about this?
If it is, could anybody give me pointers on the standard practice in 
kernel debugging?
If not, what else could be done to solve this? pptp proxy? Please don't 
say, "don't use pptp!" as this is not my choice but the customer's.

Finally, and as a consequence of the problem encountered, I was 
wondering if there was anyway to configure pf to only allow one 
connection of a given type at a time ( i.e. only allow one active state 
for a given rule). This could be used to prevent the gre mess that 
results from multiple pptp connections but might have other applications 
that escape me just now!

Thank you for your time,
Dom.

-- 
Dr Dominique Jacquel
DCoded Limited
www.dcoded.co.uk
d.jacquel@dcoded.co.uk
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic