RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall

Chris Willis Sun, 12 Mar 2006 11:42:19 -0800

 

-----Original Message-----
From: Chris Willis 
Sent: Sunday, March 12, 2006 10:23 AM
To: 'Melameth, Daniel D.'
Subject: RE: Solution Request: I need to initiate outbound PPTP requests
thru FreeBSD firewall


This is what fwbuilder is creating.


set limit { frags 5000, states 10000 }
set timeout adaptive.start 8000
set timeout adaptive.end 10000
set optimization Normal

#
# Scrub rules
#
scrub in all fragment reassemble
scrub out all random-id 

#
# Rule  0 (NAT)
# force mail server to NAT using same IP as incoming mail # nat on fxp0
proto {tcp udp icmp} from 192.168.254.253 to any -> 64.62.37.227 # #
Rule  1 (NAT) # force outbound vpn traffic to source port 500 # nat on
fxp0 proto {tcp,udp} from 192.168.0.0/16 to any port 500 -> 64.62.37.226
port 500 # # Rule  2 (NAT) # NAT all 1928 LAN clients to an IP address
on the external NIC # nat on fxp0 proto {tcp udp icmp} from
192.168.0.0/16 to any -> 64.62.37.226 # # Rule  3 (NAT) # Port Forward
services to DC1 # rdr on fxp0 proto tcp from any to 64.62.37.226 port
3389 -> 192.168.254.254 port 3389 rdr on fxp0 proto tcp from any to
64.62.37.226 port 1723 -> 192.168.254.254 port 1723 rdr on fxp0 proto
udp from any to 64.62.37.226 port 500 -> 192.168.254.254 port 500 rdr on
fxp0 proto 47 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0
proto 51 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0 proto
50 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0 proto tcp
from any to 64.62.37.226 port 22 -> 192.168.254.254 port 22 # # Rule  4
(NAT) # Port Forward Services to MAIL1 # rdr on fxp0 proto tcp from any
to 64.62.37.227 port 110 -> 192.168.254.253 port 110 rdr on fxp0 proto
tcp from any to 64.62.37.227 port 443 -> 192.168.254.253 port 443 rdr on
fxp0 proto tcp from any to 64.62.37.227 port 3389 -> 192.168.254.253
port 3389 rdr on fxp0 proto tcp from any to 64.62.37.227 port 80 ->
192.168.254.253 port 80 # # Rule  5 (NAT) # port forward to the store
camera # rdr on fxp0 proto tcp from any to 64.62.37.228 port 80 ->
192.168.202.96 port 80 # # Rule  6 (NAT) # # rdr on fxp0 proto tcp from
any to 64.62.37.226 port 23 -> 192.168.200.11 port 23 # # Rule  7 (NAT)
# # rdr on fxp0 proto tcp from any to 64.62.37.229 port 11001 ->
192.168.200.38 port 11001 rdr on fxp0 proto udp from any to 64.62.37.229
port 11001 -> 192.168.200.38 port 11001 # # Rule  8 (NAT) # # rdr on
fxp0 proto tcp from any to 64.62.37.229 port 11002 -> 192.168.202.19
port 21 # # Rule  9 (NAT) # # rdr on fxp0 proto tcp from any to
64.62.37.230 port 3389 -> 192.168.254.255 port 3389 


# Tables: (3)
table <id4411F6F4.1> { 224.0.0.0/4 , 169.254.0.0/16 , 127.0.0.0/8 ,
10.0.0.0/8 , 192.168.0.0/12 , 192.0.2.0/24 , 0.0.0.0/8 } table
<id4411F73B.2> { 64.62.37.226 , 64.62.37.227 , 64.62.37.228 ,
64.62.37.229 , 64.62.37.230 , 192.168.200.89 , 192.168.200.40 } table
<id4411FCBC.1> { 192.168.0.0/16 , 66.134.48.170 } 

#
# Rule  0 (fxp0)
# anti-spoof rule for external interfaces # 
block in   log  quick on fxp0 inet  from <id4411F6F4.1>  to any  label
"RULE 0 -- DROP "  
#
# Rule  0 (lo0)
# allow loopback to all - required to log onto box # 
pass in   log  quick on lo0 inet  from any  to any keep state  label
"RULE 0 -- ACCEPT "  
pass out  log  quick on lo0 inet  from any  to any keep state  label
"RULE 0 -- ACCEPT "  
#
# Rule  0 (global)
# deny bad combinations of TCP flags
# 
block in   log  quick inet proto tcp  from any  to any flags U/UA  label
"RULE 0 -- DROP "  
block in   log  quick inet proto tcp  from any  to any flags RF/RF
label "RULE 0 -- DROP "  
block in   log  quick inet proto tcp  from any  to any flags RS/RS
label "RULE 0 -- DROP "  
block in   log  quick inet proto tcp  from any  to any flags SF/SF
label "RULE 0 -- DROP "  
block in   log  quick inet proto tcp  from any  to any flags
UAPRSF/UAPRSF  label "RULE 0 -- DROP "  
block in   log  quick inet proto tcp  from any  to any flags /UAPRSF
label "RULE 0 -- DROP "  
block in   log  quick inet proto tcp  from any  to any flags UPF/UAPRSF
label "RULE 0 -- DROP "  
block in   log  quick inet proto tcp  from any  to any flags UPSF/UAPRSF
label "RULE 0 -- DROP "  
block in   log  quick inet proto tcp  from any  to any flags
UARSF/UAPRSF  label "RULE 0 -- DROP "  
block out  log  quick inet proto tcp  from any  to any flags U/UA  label
"RULE 0 -- DROP "  
block out  log  quick inet proto tcp  from any  to any flags RF/RF
label "RULE 0 -- DROP "  
block out  log  quick inet proto tcp  from any  to any flags RS/RS
label "RULE 0 -- DROP "  
block out  log  quick inet proto tcp  from any  to any flags SF/SF
label "RULE 0 -- DROP "  
block out  log  quick inet proto tcp  from any  to any flags
UAPRSF/UAPRSF  label "RULE 0 -- DROP "  
block out  log  quick inet proto tcp  from any  to any flags /UAPRSF
label "RULE 0 -- DROP "  
block out  log  quick inet proto tcp  from any  to any flags UPF/UAPRSF
label "RULE 0 -- DROP "  
block out  log  quick inet proto tcp  from any  to any flags UPSF/UAPRSF
label "RULE 0 -- DROP "  
block out  log  quick inet proto tcp  from any  to any flags
UARSF/UAPRSF  label "RULE 0 -- DROP "  
#
# Rule  1 (global)
# email goes to postfix on firewall first # 
pass in   quick inet proto tcp  from any port >= 1024  to <id4411F73B.2>
port 25 flags S/S modulate state  label "RULE 1 -- ACCEPT "  
#
# Rule  2 (global)
# doug added ssh to dc1
# 
pass in   quick inet proto tcp  from 64.241.74.206  to 192.168.254.254
port 22 modulate state  label "RULE 2 -- ACCEPT "  
pass out  quick inet proto tcp  from 64.241.74.206  to 192.168.254.254
port 22 modulate state  label "RULE 2 -- ACCEPT "  
#
# Rule  3 (global)
# allow remote admin & VPN traffic to DC1 # 
pass in   quick inet proto tcp  from any port >= 1024  to
192.168.254.254 port 3389 flags S/S modulate state  label "RULE 3 --
ACCEPT "  
pass in   quick inet proto tcp  from any port >= 1024  to
192.168.254.254 port 1723 modulate state  label "RULE 3 -- ACCEPT "  
pass in   quick inet proto udp  from any  to 192.168.254.254 port 500
keep state  label "RULE 3 -- ACCEPT "  
pass in   quick inet proto 47  from any  to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "  
pass in   quick inet proto 50  from any  to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "  
pass in   quick inet proto 51  from any  to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "  
pass out  quick inet proto tcp  from any port >= 1024  to
192.168.254.254 port 3389 flags S/S modulate state  label "RULE 3 --
ACCEPT "  
pass out  quick inet proto tcp  from any port >= 1024  to
192.168.254.254 port 1723 modulate state  label "RULE 3 -- ACCEPT "  
pass out  quick inet proto udp  from any  to 192.168.254.254 port 500
keep state  label "RULE 3 -- ACCEPT "  
pass out  quick inet proto 47  from any  to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "  
pass out  quick inet proto 50  from any  to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "  
pass out  quick inet proto 51  from any  to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "  
#
# Rule  4 (global)
# allow mail, OWA and POP3 to MAIL1
# 
pass in   quick inet proto tcp  from any port >= 1024  to
192.168.254.253 port 3389 flags S/S modulate state  label "RULE 4 --
ACCEPT "  
pass in   quick inet proto tcp  from any  to 192.168.254.253 port { 443,
110, 80, 25 } modulate state  label "RULE 4 -- ACCEPT "  
pass out  quick inet proto tcp  from any port >= 1024  to
192.168.254.253 port 3389 flags S/S modulate state  label "RULE 4 --
ACCEPT "  
pass out  quick inet proto tcp  from any  to 192.168.254.253 port { 443,
110, 80, 25 } modulate state  label "RULE 4 -- ACCEPT "  
#
# Rule  5 (global)
# terminal server services
# 
pass in   log  quick inet proto tcp  from any port >= 1024  to
192.168.254.255 port 3389 flags S/S modulate state  label "RULE 5 --
ACCEPT "  
pass out  log  quick inet proto tcp  from any port >= 1024  to
192.168.254.255 port 3389 flags S/S modulate state  label "RULE 5 --
ACCEPT "  
#
# Rule  6 (global)
# access store camera from internet
# 
pass in   quick inet proto tcp  from any  to 192.168.202.96 port 80
modulate state  label "RULE 6 -- ACCEPT "  
pass out  quick inet proto tcp  from any  to 192.168.202.96 port 80
modulate state  label "RULE 6 -- ACCEPT "  
#
# Rule  7 (global)
# allow firewall to access anywhere
#
pass out  quick inet  from <id4411F73B.2>  to any keep state  label
"RULE 7 -- ACCEPT "  
#
# Rule  8 (global)
# allow internal network to access certain firewall services # 
pass in   quick inet proto icmp  from <id4411FCBC.1>  to <id4411F73B.2>
keep state  label "RULE 8 -- ACCEPT "  
pass in   quick inet proto tcp  from <id4411FCBC.1> port >= 1024  to
<id4411F73B.2> port 10000 flags S/S modulate state  label "RULE 8 --
ACCEPT "  
pass in   quick inet proto tcp  from <id4411FCBC.1>  to <id4411F73B.2>
port 3000 flags S/S modulate state  label "RULE 8 -- ACCEPT "  
pass in   quick inet proto tcp  from <id4411FCBC.1>  to <id4411F73B.2>
port { 22, 888 } modulate state  label "RULE 8 -- ACCEPT "  
#
# Rule  9 (global)
# allow telnet to the D3 computer
# 
pass in   quick inet proto tcp  from any  to 192.168.200.11 port 23
modulate state  label "RULE 9 -- ACCEPT "  
pass out  quick inet proto tcp  from any  to 192.168.200.11 port 23
modulate state  label "RULE 9 -- ACCEPT "  
#
# Rule  10 (global)
#
# 
pass in   log  quick inet proto tcp  from any  to 192.168.200.38 port
11001 modulate state  label "RULE 10 -- ACCEPT "  
pass in   log  quick inet proto udp  from any  to 192.168.200.38 port
11001 keep state  label "RULE 10 -- ACCEPT "  
pass out  log  quick inet proto tcp  from any  to 192.168.200.38 port
11001 modulate state  label "RULE 10 -- ACCEPT "  
pass out  log  quick inet proto udp  from any  to 192.168.200.38 port
11001 keep state  label "RULE 10 -- ACCEPT "  
#
# Rule  11 (global)
#
# 
pass in   log  quick inet proto tcp  from any  to 192.168.202.19 port {
11002, 21 } modulate state  label "RULE 11 -- ACCEPT "  
pass out  log  quick inet proto tcp  from any  to 192.168.202.19 port {
11002, 21 } modulate state  label "RULE 11 -- ACCEPT "  
#
# Rule  12 (global)
# deny all other access to firewall
# 
block in   log  quick inet  from any  to <id4411F73B.2>  label "RULE 12
-- DROP "  
#
# Rule  13 (global)
# allow burbank internal network outbound to internet # 
pass in   quick inet  from 192.168.0.0/16  to any keep state  label
"RULE 13 -- ACCEPT "  
pass out  quick inet  from 192.168.0.0/16  to any keep state  label
"RULE 13 -- ACCEPT "  
#
# Rule  14 (global)
# drop all other traffic
# 
block in   log  quick inet  from any  to any  label "RULE 14 -- DROP "  
block out  log  quick inet  from any  to any  label "RULE 14 -- DROP "  
#
# Rule  fallback rule
#    fallback rule 
# 
block in   quick inet  from any  to any  label "RULE 10000 -- DROP "  
block out  quick inet  from any  to any  label "RULE 10000 -- DROP "  




-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Melameth, Daniel D.
Sent: Saturday, March 11, 2006 8:47 AM
To: pf@benzedrine.cx
Subject: RE: Solution Request: I need to initiate outbound PPTP requests
thru FreeBSD firewall

Post your rule set.

Chris Willis wrote:
> Ok, this is not a PPTP connection from the internet TO a box on the 
> internal LAN.
> 
> This is a problems with making a PPTP connection from the internal LAN

> to any PPTP server out on the internet.
> 
> Thus, TCP 1723 and GRE are not the issue.  I am passing ALL from the 
> internal LAN to the internet.
> 
> I used FWBuilder to create the policy for the FreeBSD box.  When I 
> install Linux 2.6 in place of the freebsd box, and use the exact same 
> FWBuilder ruleset, then outbound PPTP works great.
> 
> Any other thoughts?
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf

> Of Melameth, Daniel D.
> Sent: Saturday, March 11, 2006 12:27 AM
> To: pf@benzedrine.cx
> Subject: RE: Solution Request: I need to initiate outbound PPTP 
> requests thru FreeBSD firewall
> 
> Chris Willis wrote:
> > I have setup a FreeBSD box running PF for a client.  It is the 
> > 'firewall' for their internal LAN.
> > 
> > I cannot make an outbound VPN connection from their LAN to any other

> > microsoft PPTP VPN server.
> > 
> > The VPN connections work fine from any machine that plugs in to the 
> > hub in FRONT of the firewall (static public IP), but that obviously 
> > isn't the solution.
> > 
> > What changes need to be made to the ruleset to allow outbound PPTP 
> > connections?  Here is the existing NAT rule I though might work 
> > based on browsing the Archives:
> > 
> > nat on fxp0 proto udp from 172.16.0.0/16 port = 500 to any ->
> > 206.135.37.226 port 500
> > 
> > But it didn't help at all.  I put that rule both in front of, and 
> > behind, the regular NAT rule for outbound network traffic.
> 
> I hate to say it Chris, but have you bothered to even find out what 
> ports/protocols PPTP actually uses?  Perhaps TCP 1723 and GRE?

RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall

Reply via email to