To firewall MS PPTP for multiple hosts on the inside of a firewall, you need to masquerade based on MS PPTP call-ID. The Call-ID can be masqueraded similar to port nat for udp/tcp. There is many protocol uses gre, the ms pptp use GRE type 0x880b. However, MS PPTP's call-id is not a PORT, and gre is neither TCP nor UDP.
Is there a plan to add pptp proxy in ipf? Out side the scope of ipfilter, if you must firewall ms pptp, consider ipchain or iptable. ----- Original Message ----- From: "Seth" <[EMAIL PROTECTED]> To: "Max Leonard" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, October 31, 2002 5:10 PM Subject: Re: could someone help me with tcpdump? > I think the well known ports page would help everyone > here: > http://www.iana.org/assignments/port-numbers > > But for the record proto number 47 (GRE) is generic > routing encapsulation usews tcp and udp port numer 47. > It is very important part of MS-VPN (especially if > pptp)implementation. > > I also think it is a good idea to read up on esp eha > and isakmp. > > Peace, > --- Max Leonard <[EMAIL PROTECTED]> wrote: > > I had a similar problem with getting some OSX > > clients tunneling from behind > > nat/fw to an outside VPN. > > The only solution I could come up with was > > redirecting the GRE packets > > (proto 47) from the outside to a static IP inside > > the LAN. My very-limited > > understanding of GRE is that it always uses port 0, > > which makes true NAT > > very difficult due to the fact that you can't get > > unique ports to map, or > > TCP sessions to hold onto. Although, if anyone has > > any working solutions for > > mapping multiple VPN tunnels through ipfilter/ipnat, > > I would love to know > > about them. > > > > > > -Max > > > > > > > > > > > > > > ----- Original Message ----- > > From: <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, October 30, 2002 10:39 AM > > Subject: could someone help me with tcpdump? > > > > > > > > > > Hello all > > > > > > I am trying to get a couple of win2k vpn boxen to > > work across a firewall. > > Here is a dump, my comments are in between each dump > > line. I want to see if > > I understand what I am looking at. > > > > > > 12:17:12.246870 156.98.222.175.1064 > > > 156.98.190.111.1723: S > > 3085367584:3085367584(0) win 16384 <mss > > 1460,nop,nop,sackOK> (DF) > > > > > > 222.175 makes the initial contact to 19.11 with a > > "S" syn packet? The > > workstation port is 1064 and the server port is 1723 > > which is the vpn port. > > The two numbers (#:#) are the tcp sequence numbers? > > What is "win" and the > > stuff after that? > > > > > > 12:17:12.247288 156.98.190.111.1723 > > > 156.98.222.175.1064: S > > 3369974062:3369974062(0) ack 3085367585 win 64240 > > <mss 1460,nop,nop,sackOK> > > (DF) > > > > > > 190.111 port 1723 replies to 222.175. I see the > > "ack" later on, so was I > > wrong about the "S" being syn above because it is > > still here. Why is the > > number after the ack one larger than the above? > > > > > > 12:17:12.247570 156.98.222.175.1064 > > > 156.98.190.111.1723: . ack 1 win > > 17520 (DF) > > > > > > 222.175 syn acks. > > > > > > What is this stuff below? > > > > > > 12:17:12.247800 156.98.222.175.1064 > > > 156.98.190.111.1723: P 1:157(156) > > ack 1 win 17520 (DF) > > > 12:17:12.248204 156.98.190.111.1723 > > > 156.98.222.175.1064: P 1:157(156) > > ack 157 win 64084 (DF) > > > 12:17:15.479988 156.98.190.111.1723 > > > 156.98.222.175.1064: P 1:157(156) > > ack 157 win 64084 (DF) > > > 12:17:15.480651 156.98.222.175.1064 > > > 156.98.190.111.1723: P 157:325(168) > > ack 157 win 17364 (DF) > > > 12:17:15.481998 156.98.190.111.1723 > > > 156.98.222.175.1064: P 157:189(32) > > ack 325 win 63916 (DF) > > > 12:17:15.484913 156.98.222.175.1064 > > > 156.98.190.111.1723: P 325:349(24) > > ack 189 win 17332 (DF) > > > 12:17:15.698650 156.98.190.111.1723 > > > 156.98.222.175.1064: . ack 349 win > > 63892 (DF) > > > > > > Nothing happens, the workstation can't seem to get > > authenticated. I think > > I am not yet transfering protocol 47 though and I am > > looking into that now. > > I just want to understand tcpdump better. I almost > > feel like I had > > something lower level that showed me this stuff a > > little more raw. --of > > course I don't even understand what I have now! :-) > > > > > > --ja > > > -- > > > > > > > > ===== > SRR > > __________________________________________________ > Do you Yahoo!? > HotJobs - Search new jobs daily now > http://hotjobs.yahoo.com/ >
