For MS PPTP you need to allow TCP connections to/from port 1723 on the PPTP
server. You also need to allow IP Protocol 47 to/from the PPTP server. No
other ports/protocols are necessary. On Linux you should use IPChains or
better. In my experience IPFWADM does not have enough functionality to
filter IP Protocol 47 properly.
For some additional info, look for the Linux VPN-Masquerade-HOWTO document
on the web.
As to the security issues associated with doing this, I am waiting for the
response to the previous question myself.
Doug
> -----Original Message-----
> From: Randall, Mark [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 27, 2000 12:09 PM
> To: 'Palmer, L. Guy'; 'Brian C. E. Buhl'; Firewall List (E-mail)
> Subject: RE: VPN through firewall?
>
>
> What's the difference between having it "go around" and
> allowing it through?
> Either way all services are getting into your network, right?
>
>
> -----Original Message-----
> From: Palmer, L. Guy [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 24, 2000 6:37 AM
> To: 'Brian C. E. Buhl'; Firewall List (E-mail)
> Subject: RE: VPN through firewall?
>
>
> You should NOT allow VPN thru a firewall;
> preferable to go around if necessary, since
> one cannot delimit ports. By definition, VPN's
> "tunnel" so you'll be allowing all services through!
>
> > -----Original Message-----
> > From: Brian C. E. Buhl [SMTP:[EMAIL PROTECTED]]
> > Sent: Saturday, January 22, 2000 1:56 AM
> > To: Firewall List (E-mail)
> > Subject: VPN through firewall?
> >
> > At the risk of exposing my raw ignorance... what ports
> generally need to
> > be
> > open for VPN to pass through a firewall?
> >
> > I've recently been helping a friend setup a Linux machine
> to act as his
> > firewall. He'd like to establish a VPN connection from his
> Windows 98
> > machine at home to his Windows NT 4.0 machine at work. I'm using IP
> > Masquerade and IPCHAINS on the Linux machine, and In my
> search so far,
> > I've
> > found some suggestions for opening up tcp redirection for
> ports 1723 and
> > 47.
> > This hasn't produced satisfactory results, however.
> >
> > In a whitepaper from Microsoft, I gleamed a little bit of
> something about
> > opening up udp port 4701. Has anyone else had to do this
> before, and am I
> > leaving out any key information?
> >
> > -Brian
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
