[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-pf
Subject: pf nat + gre (pptp pass through)
From: Dominique Jacquel <dom () dcoded ! co ! uk>
Date: 2004-07-30 20:12:22
Message-ID: 410AABA6.2070800 () dcoded ! co ! uk
[Download RAW message or body]
hi,
I have installed a few OpenBSD firewalls in front of windows-based
netwoks and in a few cases, there is a need to allow multiple PPTP vpn
tunnel pass through the firewall. A typical installation require the
firewall (single external IP) to redirect incoming PPTP connection to an
internal server. It also requires that some client machine within the
LAN be able to initiate PPTP connections with other sites. Currently,
OpenBSD/PF cannot *properly* nat the GRE protocol so multiple connection
are out of the question. By properly I mean, that there is no support
for the callID which can be used as fake port numbers to allow multiple
channel through. Linux 2.2 did this with the ip_masq_pptp module and I
suppose 2.4 and 2.6 have similar masquing modules ... so it is possible!
At present, openbsd 3.5 running on soekris 4801 is so unhappy about this
that it very quickly crash when multiple tunnels are launched! :-(
I posted on misc@openbsd.org on the same topic a few days ago. I have
looked at the problem a bit closer now and I am hoping to get comments
and advice ... and hopefully a bit of flame too! :-) I have studied some
of the pf code in search for a solution and this is the solution I am
pondering:
Gre packet passing through never reach the gre protocol handler in
openbsd (right?) so PF must be taught to handle gre callID stuff itself
and use that as fake port numbers. This would involve creating gre
specific functions such as pf_test_gre(...) and pf_test_state_gre(...)
in pf.c. These function would read the gre header and use the callID
values as fake dport or sport which in theory would allow nat and rdr to
route packets to their true destination.
This is obviously a simplistic description of the work involved, but
does this sound like the right way to go about this?
If it is, could anybody give me pointers on the standard practice in
kernel debugging?
If not, what else could be done to solve this? pptp proxy? Please don't
say, "don't use pptp!" as this is not my choice but the customer's.
Finally, and as a consequence of the problem encountered, I was
wondering if there was anyway to configure pf to only allow one
connection of a given type at a time ( i.e. only allow one active state
for a given rule). This could be used to prevent the gre mess that
results from multiple pptp connections but might have other applications
that escape me just now!
Thank you for your time,
Dom.
--
Dr Dominique Jacquel
DCoded Limited
www.dcoded.co.uk
d.jacquel@dcoded.co.uk
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic