-----Original Message----- From: Chris Willis Sent: Sunday, March 12, 2006 10:23 AM To: 'Melameth, Daniel D.' Subject: RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
This is what fwbuilder is creating. set limit { frags 5000, states 10000 } set timeout adaptive.start 8000 set timeout adaptive.end 10000 set optimization Normal # # Scrub rules # scrub in all fragment reassemble scrub out all random-id # # Rule 0 (NAT) # force mail server to NAT using same IP as incoming mail # nat on fxp0 proto {tcp udp icmp} from 192.168.254.253 to any -> 64.62.37.227 # # Rule 1 (NAT) # force outbound vpn traffic to source port 500 # nat on fxp0 proto {tcp,udp} from 192.168.0.0/16 to any port 500 -> 64.62.37.226 port 500 # # Rule 2 (NAT) # NAT all 1928 LAN clients to an IP address on the external NIC # nat on fxp0 proto {tcp udp icmp} from 192.168.0.0/16 to any -> 64.62.37.226 # # Rule 3 (NAT) # Port Forward services to DC1 # rdr on fxp0 proto tcp from any to 64.62.37.226 port 3389 -> 192.168.254.254 port 3389 rdr on fxp0 proto tcp from any to 64.62.37.226 port 1723 -> 192.168.254.254 port 1723 rdr on fxp0 proto udp from any to 64.62.37.226 port 500 -> 192.168.254.254 port 500 rdr on fxp0 proto 47 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0 proto 51 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0 proto 50 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0 proto tcp from any to 64.62.37.226 port 22 -> 192.168.254.254 port 22 # # Rule 4 (NAT) # Port Forward Services to MAIL1 # rdr on fxp0 proto tcp from any to 64.62.37.227 port 110 -> 192.168.254.253 port 110 rdr on fxp0 proto tcp from any to 64.62.37.227 port 443 -> 192.168.254.253 port 443 rdr on fxp0 proto tcp from any to 64.62.37.227 port 3389 -> 192.168.254.253 port 3389 rdr on fxp0 proto tcp from any to 64.62.37.227 port 80 -> 192.168.254.253 port 80 # # Rule 5 (NAT) # port forward to the store camera # rdr on fxp0 proto tcp from any to 64.62.37.228 port 80 -> 192.168.202.96 port 80 # # Rule 6 (NAT) # # rdr on fxp0 proto tcp from any to 64.62.37.226 port 23 -> 192.168.200.11 port 23 # # Rule 7 (NAT) # # rdr on fxp0 proto tcp from any to 64.62.37.229 port 11001 -> 192.168.200.38 port 11001 rdr on fxp0 proto udp from any to 64.62.37.229 port 11001 -> 192.168.200.38 port 11001 # # Rule 8 (NAT) # # rdr on fxp0 proto tcp from any to 64.62.37.229 port 11002 -> 192.168.202.19 port 21 # # Rule 9 (NAT) # # rdr on fxp0 proto tcp from any to 64.62.37.230 port 3389 -> 192.168.254.255 port 3389 # Tables: (3) table <id4411F6F4.1> { 224.0.0.0/4 , 169.254.0.0/16 , 127.0.0.0/8 , 10.0.0.0/8 , 192.168.0.0/12 , 192.0.2.0/24 , 0.0.0.0/8 } table <id4411F73B.2> { 64.62.37.226 , 64.62.37.227 , 64.62.37.228 , 64.62.37.229 , 64.62.37.230 , 192.168.200.89 , 192.168.200.40 } table <id4411FCBC.1> { 192.168.0.0/16 , 66.134.48.170 } # # Rule 0 (fxp0) # anti-spoof rule for external interfaces # block in log quick on fxp0 inet from <id4411F6F4.1> to any label "RULE 0 -- DROP " # # Rule 0 (lo0) # allow loopback to all - required to log onto box # pass in log quick on lo0 inet from any to any keep state label "RULE 0 -- ACCEPT " pass out log quick on lo0 inet from any to any keep state label "RULE 0 -- ACCEPT " # # Rule 0 (global) # deny bad combinations of TCP flags # block in log quick inet proto tcp from any to any flags U/UA label "RULE 0 -- DROP " block in log quick inet proto tcp from any to any flags RF/RF label "RULE 0 -- DROP " block in log quick inet proto tcp from any to any flags RS/RS label "RULE 0 -- DROP " block in log quick inet proto tcp from any to any flags SF/SF label "RULE 0 -- DROP " block in log quick inet proto tcp from any to any flags UAPRSF/UAPRSF label "RULE 0 -- DROP " block in log quick inet proto tcp from any to any flags /UAPRSF label "RULE 0 -- DROP " block in log quick inet proto tcp from any to any flags UPF/UAPRSF label "RULE 0 -- DROP " block in log quick inet proto tcp from any to any flags UPSF/UAPRSF label "RULE 0 -- DROP " block in log quick inet proto tcp from any to any flags UARSF/UAPRSF label "RULE 0 -- DROP " block out log quick inet proto tcp from any to any flags U/UA label "RULE 0 -- DROP " block out log quick inet proto tcp from any to any flags RF/RF label "RULE 0 -- DROP " block out log quick inet proto tcp from any to any flags RS/RS label "RULE 0 -- DROP " block out log quick inet proto tcp from any to any flags SF/SF label "RULE 0 -- DROP " block out log quick inet proto tcp from any to any flags UAPRSF/UAPRSF label "RULE 0 -- DROP " block out log quick inet proto tcp from any to any flags /UAPRSF label "RULE 0 -- DROP " block out log quick inet proto tcp from any to any flags UPF/UAPRSF label "RULE 0 -- DROP " block out log quick inet proto tcp from any to any flags UPSF/UAPRSF label "RULE 0 -- DROP " block out log quick inet proto tcp from any to any flags UARSF/UAPRSF label "RULE 0 -- DROP " # # Rule 1 (global) # email goes to postfix on firewall first # pass in quick inet proto tcp from any port >= 1024 to <id4411F73B.2> port 25 flags S/S modulate state label "RULE 1 -- ACCEPT " # # Rule 2 (global) # doug added ssh to dc1 # pass in quick inet proto tcp from 64.241.74.206 to 192.168.254.254 port 22 modulate state label "RULE 2 -- ACCEPT " pass out quick inet proto tcp from 64.241.74.206 to 192.168.254.254 port 22 modulate state label "RULE 2 -- ACCEPT " # # Rule 3 (global) # allow remote admin & VPN traffic to DC1 # pass in quick inet proto tcp from any port >= 1024 to 192.168.254.254 port 3389 flags S/S modulate state label "RULE 3 -- ACCEPT " pass in quick inet proto tcp from any port >= 1024 to 192.168.254.254 port 1723 modulate state label "RULE 3 -- ACCEPT " pass in quick inet proto udp from any to 192.168.254.254 port 500 keep state label "RULE 3 -- ACCEPT " pass in quick inet proto 47 from any to 192.168.254.254 keep state label "RULE 3 -- ACCEPT " pass in quick inet proto 50 from any to 192.168.254.254 keep state label "RULE 3 -- ACCEPT " pass in quick inet proto 51 from any to 192.168.254.254 keep state label "RULE 3 -- ACCEPT " pass out quick inet proto tcp from any port >= 1024 to 192.168.254.254 port 3389 flags S/S modulate state label "RULE 3 -- ACCEPT " pass out quick inet proto tcp from any port >= 1024 to 192.168.254.254 port 1723 modulate state label "RULE 3 -- ACCEPT " pass out quick inet proto udp from any to 192.168.254.254 port 500 keep state label "RULE 3 -- ACCEPT " pass out quick inet proto 47 from any to 192.168.254.254 keep state label "RULE 3 -- ACCEPT " pass out quick inet proto 50 from any to 192.168.254.254 keep state label "RULE 3 -- ACCEPT " pass out quick inet proto 51 from any to 192.168.254.254 keep state label "RULE 3 -- ACCEPT " # # Rule 4 (global) # allow mail, OWA and POP3 to MAIL1 # pass in quick inet proto tcp from any port >= 1024 to 192.168.254.253 port 3389 flags S/S modulate state label "RULE 4 -- ACCEPT " pass in quick inet proto tcp from any to 192.168.254.253 port { 443, 110, 80, 25 } modulate state label "RULE 4 -- ACCEPT " pass out quick inet proto tcp from any port >= 1024 to 192.168.254.253 port 3389 flags S/S modulate state label "RULE 4 -- ACCEPT " pass out quick inet proto tcp from any to 192.168.254.253 port { 443, 110, 80, 25 } modulate state label "RULE 4 -- ACCEPT " # # Rule 5 (global) # terminal server services # pass in log quick inet proto tcp from any port >= 1024 to 192.168.254.255 port 3389 flags S/S modulate state label "RULE 5 -- ACCEPT " pass out log quick inet proto tcp from any port >= 1024 to 192.168.254.255 port 3389 flags S/S modulate state label "RULE 5 -- ACCEPT " # # Rule 6 (global) # access store camera from internet # pass in quick inet proto tcp from any to 192.168.202.96 port 80 modulate state label "RULE 6 -- ACCEPT " pass out quick inet proto tcp from any to 192.168.202.96 port 80 modulate state label "RULE 6 -- ACCEPT " # # Rule 7 (global) # allow firewall to access anywhere # pass out quick inet from <id4411F73B.2> to any keep state label "RULE 7 -- ACCEPT " # # Rule 8 (global) # allow internal network to access certain firewall services # pass in quick inet proto icmp from <id4411FCBC.1> to <id4411F73B.2> keep state label "RULE 8 -- ACCEPT " pass in quick inet proto tcp from <id4411FCBC.1> port >= 1024 to <id4411F73B.2> port 10000 flags S/S modulate state label "RULE 8 -- ACCEPT " pass in quick inet proto tcp from <id4411FCBC.1> to <id4411F73B.2> port 3000 flags S/S modulate state label "RULE 8 -- ACCEPT " pass in quick inet proto tcp from <id4411FCBC.1> to <id4411F73B.2> port { 22, 888 } modulate state label "RULE 8 -- ACCEPT " # # Rule 9 (global) # allow telnet to the D3 computer # pass in quick inet proto tcp from any to 192.168.200.11 port 23 modulate state label "RULE 9 -- ACCEPT " pass out quick inet proto tcp from any to 192.168.200.11 port 23 modulate state label "RULE 9 -- ACCEPT " # # Rule 10 (global) # # pass in log quick inet proto tcp from any to 192.168.200.38 port 11001 modulate state label "RULE 10 -- ACCEPT " pass in log quick inet proto udp from any to 192.168.200.38 port 11001 keep state label "RULE 10 -- ACCEPT " pass out log quick inet proto tcp from any to 192.168.200.38 port 11001 modulate state label "RULE 10 -- ACCEPT " pass out log quick inet proto udp from any to 192.168.200.38 port 11001 keep state label "RULE 10 -- ACCEPT " # # Rule 11 (global) # # pass in log quick inet proto tcp from any to 192.168.202.19 port { 11002, 21 } modulate state label "RULE 11 -- ACCEPT " pass out log quick inet proto tcp from any to 192.168.202.19 port { 11002, 21 } modulate state label "RULE 11 -- ACCEPT " # # Rule 12 (global) # deny all other access to firewall # block in log quick inet from any to <id4411F73B.2> label "RULE 12 -- DROP " # # Rule 13 (global) # allow burbank internal network outbound to internet # pass in quick inet from 192.168.0.0/16 to any keep state label "RULE 13 -- ACCEPT " pass out quick inet from 192.168.0.0/16 to any keep state label "RULE 13 -- ACCEPT " # # Rule 14 (global) # drop all other traffic # block in log quick inet from any to any label "RULE 14 -- DROP " block out log quick inet from any to any label "RULE 14 -- DROP " # # Rule fallback rule # fallback rule # block in quick inet from any to any label "RULE 10000 -- DROP " block out quick inet from any to any label "RULE 10000 -- DROP " -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Melameth, Daniel D. Sent: Saturday, March 11, 2006 8:47 AM To: pf@benzedrine.cx Subject: RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall Post your rule set. Chris Willis wrote: > Ok, this is not a PPTP connection from the internet TO a box on the > internal LAN. > > This is a problems with making a PPTP connection from the internal LAN > to any PPTP server out on the internet. > > Thus, TCP 1723 and GRE are not the issue. I am passing ALL from the > internal LAN to the internet. > > I used FWBuilder to create the policy for the FreeBSD box. When I > install Linux 2.6 in place of the freebsd box, and use the exact same > FWBuilder ruleset, then outbound PPTP works great. > > Any other thoughts? > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Melameth, Daniel D. > Sent: Saturday, March 11, 2006 12:27 AM > To: pf@benzedrine.cx > Subject: RE: Solution Request: I need to initiate outbound PPTP > requests thru FreeBSD firewall > > Chris Willis wrote: > > I have setup a FreeBSD box running PF for a client. It is the > > 'firewall' for their internal LAN. > > > > I cannot make an outbound VPN connection from their LAN to any other > > microsoft PPTP VPN server. > > > > The VPN connections work fine from any machine that plugs in to the > > hub in FRONT of the firewall (static public IP), but that obviously > > isn't the solution. > > > > What changes need to be made to the ruleset to allow outbound PPTP > > connections? Here is the existing NAT rule I though might work > > based on browsing the Archives: > > > > nat on fxp0 proto udp from 172.16.0.0/16 port = 500 to any -> > > 206.135.37.226 port 500 > > > > But it didn't help at all. I put that rule both in front of, and > > behind, the regular NAT rule for outbound network traffic. > > I hate to say it Chris, but have you bothered to even find out what > ports/protocols PPTP actually uses? Perhaps TCP 1723 and GRE?