Re: [Leaf-user] VPN behind Dachstein
On Thursday 25 April 2002 22:09, Morgan Reed wrote: > Scott, > > A quick follow-up question regarding allowing protocol 47 packets > though, I attempted to manually set the IPCHAINS rules just to do a > quick test, and this is what I got: > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT > ipchains: can only specify ports for icmp, tcp or udp > Try `ipchains -h' or 'ipchains --help' for more information. > > I am not trying to port forward anything at this point, I want to be > able to allow any machine on my home network to connect to a VPN > machine at a client. So no ipmasqadm portfw. > > I uncommented the PPTP module and this is reflected in my log: > > Apr 25 10:55:35 firewall kernel: ip_masq_gre(): creating GRE masq for > 192.168.1.3 -> 205.158.144.234 CID=43E6 MCID=10EA > Apr 25 10:55:35 firewall kernel: Packet log: input DENY eth0 PROTO=47 > 205.158.144.234:65535 68.49.250.48:65535 L=93 S=0x00 I=62911 F=0x > T=116 (#41) > > > But clearly it is viewing protocol 47 packets as junk and denying > them. > > What step(s) am I missing? For PPTP, In network.conf, allow protocol 47. You will need to load the slhc and ppp modules, and also the pptpd package from Sandro Minola (in the LEAF developer content directory). Do not load the pptp module unless you are port forwarding the connection through the firewall. ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN behind Dachstein
Morgan: Heya. I think you're doing two things incorrectly. First, you're using "iphains -A input ..." which means to Append the rule at the end of the input chain. So, it may be appendning it after rule #41 which is blocking it. You need either use -I to Insert the rule earlier in the chain, or well manage things when you Append. Secondly...and more obvisouly...your rule to allow the GRE (proto=47) packets thru didn't take. From the echowall.lrp package, the line should look more like this: ipchains -A input -s 0/0 -d $IP_EXT/32 -p 47 -j ACCEPT Note that there's no "1723" in there. :) Also, if you know your VPN partner very well, you can change that 0/0 to tighten things down a notch. Hope this helps! -Scott On Thu, 25 Apr 2002, Morgan Reed wrote: > Scott, > > A quick follow-up question regarding allowing protocol 47 packets though, I > attempted to manually set the IPCHAINS rules just to do a quick test, and > this is what I got: > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT > ipchains: can only specify ports for icmp, tcp or udp > Try `ipchains -h' or 'ipchains --help' for more information. > > I am not trying to port forward anything at this point, I want to be able to > allow any machine on my home network to connect to a VPN machine at a > client. So no ipmasqadm portfw. > > I uncommented the PPTP module and this is reflected in my log: > > Apr 25 10:55:35 firewall kernel: ip_masq_gre(): creating GRE masq for > 192.168.1.3 -> 205.158.144.234 CID=43E6 MCID=10EA > Apr 25 10:55:35 firewall kernel: Packet log: input DENY eth0 PROTO=47 > 205.158.144.234:65535 68.49.250.48:65535 L=93 S=0x00 I=62911 F=0x T=116 > (#41) > > > But clearly it is viewing protocol 47 packets as junk and denying them. > > What step(s) am I missing? > > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN behind Dachstein
I simply use the following in the scripts which allows for both outbound and/or inbound VPNs through several Dachstien Firewalls: Firstly in netwoork.conf add #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access INTERN_VPN_SERVER=192.168.2.10 # Internal VPN server to make available EXTERN_VPN_PORT=1723# External port to use for internal VPN access then in ipfilter.conf (I usually add this after the ssh section again) if [ -n "$INTERN_VPN_SERVER" ] ; then if [ -n "$EXTERN_VPN_PORT" ] ; then $IPMASQADM portfw -a -P tcp -L $EXTERN_IP $EXTERN_VPN_PORT \ -R $INTERN_VPN_SERVER vpn else $IPMASQADM portfw -a -P tcp -L $EXTERN_IP vpn \ -R $INTERN_VPN_SERVER vpn fi ipfwd --masq $INTERN_VPN_SERVER 47 & fi I have several firewalls using this method and all are working well. If an internal VPN Server is not defined, I only open the input chain for protocol 47 in network.conf and have had no problems yet. Andrew Gray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chad Carr Sent: Fri, 26 Apr 2002 13:47 PM To: Morgan Reed Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN behind Dachstein On Thu, 25 Apr 2002 23:09:38 -0400 "Morgan Reed" <[EMAIL PROTECTED]> wrote: > Scott, > > A quick follow-up question regarding allowing protocol 47 packets > though, I attempted to manually set the IPCHAINS rules just to do a > quick test, and this is what I got: > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT > ipchains: can only specify ports for icmp, tcp or udp > Try `ipchains -h' or 'ipchains --help' for more information. This ipchains rule should not specify port 1723. Ports are not a part of the GRE header, so they cannot be specified as targets for ipchains. The rule should read: ipchains -A input -p 47 -j ACCEPT To be absolutely minimal about it. If no source or destination address is given, the default is everything. HTH, Chad p.s. take a look at http://www.protocols.com/pbook/tcpip3-1.htm and http://www.protocols.com/pbook/tcpip.htm#TCP for more details on this. This is pretty heavy stuff if you're not used to it, but it tells you what is in the headers of the packets you are trying to filter. It is invaluable if you want to really nkow what you can do with ipchains. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN behind Dachstein
On Thu, 25 Apr 2002 23:09:38 -0400 "Morgan Reed" <[EMAIL PROTECTED]> wrote: > Scott, > > A quick follow-up question regarding allowing protocol 47 packets > though, I attempted to manually set the IPCHAINS rules just to do a > quick test, and this is what I got: > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT > > firewall: -root- > # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT > ipchains: can only specify ports for icmp, tcp or udp > Try `ipchains -h' or 'ipchains --help' for more information. This ipchains rule should not specify port 1723. Ports are not a part of the GRE header, so they cannot be specified as targets for ipchains. The rule should read: ipchains -A input -p 47 -j ACCEPT To be absolutely minimal about it. If no source or destination address is given, the default is everything. HTH, Chad p.s. take a look at http://www.protocols.com/pbook/tcpip3-1.htm and http://www.protocols.com/pbook/tcpip.htm#TCP for more details on this. This is pretty heavy stuff if you're not used to it, but it tells you what is in the headers of the packets you are trying to filter. It is invaluable if you want to really nkow what you can do with ipchains. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN behind Dachstein
Scott, A quick follow-up question regarding allowing protocol 47 packets though, I attempted to manually set the IPCHAINS rules just to do a quick test, and this is what I got: firewall: -root- # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT firewall: -root- # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT ipchains: can only specify ports for icmp, tcp or udp Try `ipchains -h' or 'ipchains --help' for more information. I am not trying to port forward anything at this point, I want to be able to allow any machine on my home network to connect to a VPN machine at a client. So no ipmasqadm portfw. I uncommented the PPTP module and this is reflected in my log: Apr 25 10:55:35 firewall kernel: ip_masq_gre(): creating GRE masq for 192.168.1.3 -> 205.158.144.234 CID=43E6 MCID=10EA Apr 25 10:55:35 firewall kernel: Packet log: input DENY eth0 PROTO=47 205.158.144.234:65535 68.49.250.48:65535 L=93 S=0x00 I=62911 F=0x T=116 (#41) But clearly it is viewing protocol 47 packets as junk and denying them. What step(s) am I missing? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN behind Dachstein
Dustin, This was my setup and it worked! Hope this helps Watch out this are indexed variables!!! Change them!!! #EXTERN_TCP_PORT4="0/0 1723 192.168.1.24/32"#Microsoftp PPTP #EXTERN_PROTO0="47 0/0 192.168.1.24/32" #GRE INTERN_PPTP_SERVER=192.168.1.xx # Internal M$ PPTP server to make available #INTERN_SERVER2="tcp ${EXTERN_IP} 1723 ${INTERN_PPTP_SERVER} 1723" Sergio > -Mensaje original- > De: Dustin Reiner [mailto:[EMAIL PROTECTED]] > Enviado el: Friday, April 12, 2002 15:48 > Para: Scott C. Best; [EMAIL PROTECTED] > Asunto: RE: [Leaf-user] VPN behind Dachstein > > > Yes, I have allowed both port 47 and port 1723 with: > EXTERN_PROTO0="47 vpnserverip/32" > EXTERN_PROTO1="1723 vpnserverip/32" > > I have forwarded pptp traffic to the vpn server with: > ipmasqadm portfw -a -P tcp -L externalip 1723 -R vpnserverip 1723 > > and I have allowed GRE tunneling with: > > ipfwd --masq vpnserverip 47 & > > but I still cannot connect. The firewall rules shown in > Weblet regarding > pptp are below. Do these look right? If someone could > summarize the steps > to do this, to make sure I didn't miss anything, it would be greatly > appreciated. > > Thanks, > Dustin > > 0 0 ACCEPT 47 -- 0xFF 0x00 eth0 > vpnserverip externalip n/a > 0 0 ACCEPT 1723 -- 0xFF 0x00 eth0 > vpnserverip externalip n/a > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > Scott C. Best > Sent: Friday, April 12, 2002 2:30 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [Leaf-user] VPN behind Dachstein > > > Dustin: > > Heya. Just a quick check to see if you've told your > firewall to allow those protocol=47 packets to come through. > You got the TCP port=1723 ones for PPTP right, but there's > two pieces to it. > > -Scott > > > Hello, > > > >I am attempting to replace a 2.9.4 based firewall with > Dachstein. The > > current firewall forwards VPN traffic to a server behind > itself. I have > > setup the new server with the following entries in > network.conf, but I > have > > apparently missed something because I can't connect. If > anyone can help, > I > > would appreciate it. > > > > Thanks, > > Dustin > > > > -snip- > > # TCP services open to outside world > > # Space seperated list: srcip/mask_dstport > > #EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023" > > EXTERN_TCP_PORTS="0/0_vpn" > > -snip- > > # Advanced settings: parameters passed directly to portfw and autofw > > # Indexed list: "" > > #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT > [-p PREF]" > > #INTERN_SERVER1="" > > INTERN_SERVER0="-a -P tcp -L external_ip 1723 -R vpnserverip 1723" > > -snip- > > > > I have also added the vpn service to /etc/services as: > > > > vpn 1723/tcp#vpn traffic > > > > and am running ipfwd as: > > > > /usr/sbin/ipfwd --masq vpnserverip 47 & > > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN behind Dachstein
Dustin: Close. :) PPTP uses *protocol* 47, and TCP (which is, itself, protocol 6) *port* 1723. You need to tell your firewall to let those two types of packets in. Then you need to port-forward the two of them. Since ipmasqadm only knows about TCP, UDP, and ICMP (protocols 6, 17, and 1, respectively), you need to use the ipfwd utility to forward the protocol 47 packets. Lastly...you need to have the ip_masq_pptp module line uncommented in your /etc/modules file. It's commented out by default, and if you don't activate it, your DS box won't know to masq the packets to let them out. This step is the one most people miss. It's what I missed the first time too. :) Here's the relevant section from the echowall.lrp package, which of course supports PPTP: $IPCHAINS -A input -s 0/0 -d $IP_EXT/32 1723 -p tcp -l -j ACCEPT $IPCHAINS -A input -s 0/0 -d $IP_EXT/32 -p 47 -j ACCEPT $IPMASQADM portfw -a -P tcp -L $IP_EXT 1723 -R $PPTP_HOST 1723 ipfwd --masq $PPTP_HOST 47 & Hope this helps! -Scott On Fri, 12 Apr 2002, Dustin Reiner wrote: > Yes, I have allowed both port 47 and port 1723 with: > EXTERN_PROTO0="47 vpnserverip/32" > EXTERN_PROTO1="1723 vpnserverip/32" > > I have forwarded pptp traffic to the vpn server with: > ipmasqadm portfw -a -P tcp -L externalip 1723 -R vpnserverip 1723 > > and I have allowed GRE tunneling with: > > ipfwd --masq vpnserverip 47 & > > but I still cannot connect. The firewall rules shown in Weblet regarding > pptp are below. Do these look right? If someone could summarize the steps > to do this, to make sure I didn't miss anything, it would be greatly > appreciated. > > Thanks, > Dustin > > 0 0 ACCEPT 47 -- 0xFF 0x00 eth0 > vpnserverip externalip n/a > 0 0 ACCEPT 1723 -- 0xFF 0x00 eth0 > vpnserverip externalip n/a > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Scott C. Best > Sent: Friday, April 12, 2002 2:30 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [Leaf-user] VPN behind Dachstein > > > Dustin: > > Heya. Just a quick check to see if you've told your > firewall to allow those protocol=47 packets to come through. > You got the TCP port=1723 ones for PPTP right, but there's > two pieces to it. > > -Scott > > > Hello, > > > >I am attempting to replace a 2.9.4 based firewall with Dachstein. The > > current firewall forwards VPN traffic to a server behind itself. I have > > setup the new server with the following entries in network.conf, but I > have > > apparently missed something because I can't connect. If anyone can help, > I > > would appreciate it. > > > > Thanks, > > Dustin ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN behind Dachstein
Yes, I have allowed both port 47 and port 1723 with: EXTERN_PROTO0="47 vpnserverip/32" EXTERN_PROTO1="1723 vpnserverip/32" I have forwarded pptp traffic to the vpn server with: ipmasqadm portfw -a -P tcp -L externalip 1723 -R vpnserverip 1723 and I have allowed GRE tunneling with: ipfwd --masq vpnserverip 47 & but I still cannot connect. The firewall rules shown in Weblet regarding pptp are below. Do these look right? If someone could summarize the steps to do this, to make sure I didn't miss anything, it would be greatly appreciated. Thanks, Dustin 0 0 ACCEPT 47 -- 0xFF 0x00 eth0 vpnserverip externalip n/a 0 0 ACCEPT 1723 -- 0xFF 0x00 eth0 vpnserverip externalip n/a -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott C. Best Sent: Friday, April 12, 2002 2:30 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN behind Dachstein Dustin: Heya. Just a quick check to see if you've told your firewall to allow those protocol=47 packets to come through. You got the TCP port=1723 ones for PPTP right, but there's two pieces to it. -Scott > Hello, > >I am attempting to replace a 2.9.4 based firewall with Dachstein. The > current firewall forwards VPN traffic to a server behind itself. I have > setup the new server with the following entries in network.conf, but I have > apparently missed something because I can't connect. If anyone can help, I > would appreciate it. > > Thanks, > Dustin > > -snip- > # TCP services open to outside world > # Space seperated list: srcip/mask_dstport > #EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023" > EXTERN_TCP_PORTS="0/0_vpn" > -snip- > # Advanced settings: parameters passed directly to portfw and autofw > # Indexed list: "" > #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]" > #INTERN_SERVER1="" > INTERN_SERVER0="-a -P tcp -L external_ip 1723 -R vpnserverip 1723" > -snip- > > I have also added the vpn service to /etc/services as: > > vpn 1723/tcp#vpn traffic > > and am running ipfwd as: > > /usr/sbin/ipfwd --masq vpnserverip 47 & ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN behind Dachstein
Dustin: Heya. Just a quick check to see if you've told your firewall to allow those protocol=47 packets to come through. You got the TCP port=1723 ones for PPTP right, but there's two pieces to it. -Scott > Hello, > >I am attempting to replace a 2.9.4 based firewall with Dachstein. The > current firewall forwards VPN traffic to a server behind itself. I have > setup the new server with the following entries in network.conf, but I have > apparently missed something because I can't connect. If anyone can help, I > would appreciate it. > > Thanks, > Dustin > > -snip- > # TCP services open to outside world > # Space seperated list: srcip/mask_dstport > #EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023" > EXTERN_TCP_PORTS="0/0_vpn" > -snip- > # Advanced settings: parameters passed directly to portfw and autofw > # Indexed list: "" > #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]" > #INTERN_SERVER1="" > INTERN_SERVER0="-a -P tcp -L external_ip 1723 -R vpnserverip 1723" > -snip- > > I have also added the vpn service to /etc/services as: > > vpn 1723/tcp#vpn traffic > > and am running ipfwd as: > > /usr/sbin/ipfwd --masq vpnserverip 47 & ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN behind Dachstein
> In regards to: > -snip- > Oh...you also have to let the VPN protocol packets through the > firewall...it's not clear if you're doing this from the above. ie: > EXTERN_PROTO0="47 vpnserverip/32" > -snip- > > Would I have to also do this for port 1723? It's probably good practice, but the default Dachsetin rules allow inbound high-port tcp traffic by default, so it should already be open. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN behind Dachstein
In regards to: -snip- Oh...you also have to let the VPN protocol packets through the firewall...it's not clear if you're doing this from the above. ie: EXTERN_PROTO0="47 vpnserverip/32" -snip- Would I have to also do this for port 1723? Thanks. -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:43 AM To: Dustin Reiner; [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN behind Dachstein >I am attempting to replace a 2.9.4 based firewall with Dachstein. The > current firewall forwards VPN traffic to a server behind itself. I have > setup the new server with the following entries in network.conf, but I have > apparently missed something because I can't connect. If anyone can help, I > would appreciate it. > > Thanks, > Dustin > > -snip- > # TCP services open to outside world > # Space seperated list: srcip/mask_dstport > #EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023" > EXTERN_TCP_PORTS="0/0_vpn" > -snip- > # Advanced settings: parameters passed directly to portfw and autofw > # Indexed list: "" > #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]" > #INTERN_SERVER1="" > INTERN_SERVER0="-a -P tcp -L external_ip 1723 -R vpnserverip 1723" > -snip- > > I have also added the vpn service to /etc/services as: > > vpn 1723/tcp #vpn traffic > > and am running ipfwd as: > > /usr/sbin/ipfwd --masq vpnserverip 47 & I think you need to use the ip_masq_pptp.o module, rather than trying to forward the VPN packets manually, but I don't do a lot of VPN masquerading. Is this a standard PPTP VPN? If so, there are several folks on-list who have made this work, and can probably help better with exact setup requirements... Oh...you also have to let the VPN protocol packets through the firewall...it's not clear if you're doing this from the above. ie: EXTERN_PROTO0="47 vpnserverip/32" Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN behind Dachstein
>I am attempting to replace a 2.9.4 based firewall with Dachstein. The > current firewall forwards VPN traffic to a server behind itself. I have > setup the new server with the following entries in network.conf, but I have > apparently missed something because I can't connect. If anyone can help, I > would appreciate it. > > Thanks, > Dustin > > -snip- > # TCP services open to outside world > # Space seperated list: srcip/mask_dstport > #EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023" > EXTERN_TCP_PORTS="0/0_vpn" > -snip- > # Advanced settings: parameters passed directly to portfw and autofw > # Indexed list: "" > #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]" > #INTERN_SERVER1="" > INTERN_SERVER0="-a -P tcp -L external_ip 1723 -R vpnserverip 1723" > -snip- > > I have also added the vpn service to /etc/services as: > > vpn 1723/tcp #vpn traffic > > and am running ipfwd as: > > /usr/sbin/ipfwd --masq vpnserverip 47 & I think you need to use the ip_masq_pptp.o module, rather than trying to forward the VPN packets manually, but I don't do a lot of VPN masquerading. Is this a standard PPTP VPN? If so, there are several folks on-list who have made this work, and can probably help better with exact setup requirements... Oh...you also have to let the VPN protocol packets through the firewall...it's not clear if you're doing this from the above. ie: EXTERN_PROTO0="47 vpnserverip/32" Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] VPN behind Dachstein
Hello, I am attempting to replace a 2.9.4 based firewall with Dachstein. The current firewall forwards VPN traffic to a server behind itself. I have setup the new server with the following entries in network.conf, but I have apparently missed something because I can't connect. If anyone can help, I would appreciate it. Thanks, Dustin -snip- # TCP services open to outside world # Space seperated list: srcip/mask_dstport #EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023" EXTERN_TCP_PORTS="0/0_vpn" -snip- # Advanced settings: parameters passed directly to portfw and autofw # Indexed list: "" #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]" #INTERN_SERVER1="" INTERN_SERVER0="-a -P tcp -L external_ip 1723 -R vpnserverip 1723" -snip- I have also added the vpn service to /etc/services as: vpn 1723/tcp#vpn traffic and am running ipfwd as: /usr/sbin/ipfwd --masq vpnserverip 47 & ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user