RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Chris Willis wrote: I have setup a FreeBSD box running PF for a client. It is the 'firewall' for their internal LAN. I cannot make an outbound VPN connection from their LAN to any other microsoft PPTP VPN server. The VPN connections work fine from any machine that plugs in to the hub in FRONT of the firewall (static public IP), but that obviously isn't the solution. What changes need to be made to the ruleset to allow outbound PPTP connections? Here is the existing NAT rule I though might work based on browsing the Archives: nat on fxp0 proto udp from 172.16.0.0/16 port = 500 to any - 206.135.37.226 port 500 But it didn't help at all. I put that rule both in front of, and behind, the regular NAT rule for outbound network traffic. I hate to say it Chris, but have you bothered to even find out what ports/protocols PPTP actually uses? Perhaps TCP 1723 and GRE?
Re: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Chris Willis [EMAIL PROTECTED] writes: What changes need to be made to the ruleset to allow outbound PPTP connections? Here is the existing NAT rule I though might work based on browsing the Archives: googlemancy on PF NAT PPTP seems to indicate that some sort of proxying (see eg http://undeadly.org/cgi?action=articlesid=20041009000521) and letting gre traffic pass is needed. I actually downloaded and started fiddling with frickin rather soon after it was announced, but before I had a working setup, the users who wanted to use a Microsoft VPN for something or other thought of some other way to do what they needed. (Microsoft - no, there's always an easier way :)) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.
RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Peter N. M. Hansteen wrote: Chris Willis [EMAIL PROTECTED] writes: What changes need to be made to the ruleset to allow outbound PPTP connections? Here is the existing NAT rule I though might work based on browsing the Archives: googlemancy on PF NAT PPTP seems to indicate that some sort of proxying (see eg http://undeadly.org/cgi?action=articlesid=20041009000521) and letting gre traffic pass is needed. Outside of the call id field/two users behind the firewall cannot make a connection to the same PPTP server issue, which might be addressed in the latest releases, this works without incident for me.
RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Ok, this is not a PPTP connection from the internet TO a box on the internal LAN. This is a problems with making a PPTP connection from the internal LAN to any PPTP server out on the internet. Thus, TCP 1723 and GRE are not the issue. I am passing ALL from the internal LAN to the internet. I used FWBuilder to create the policy for the FreeBSD box. When I install Linux 2.6 in place of the freebsd box, and use the exact same FWBuilder ruleset, then outbound PPTP works great. Any other thoughts? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Melameth, Daniel D. Sent: Saturday, March 11, 2006 12:27 AM To: pf@benzedrine.cx Subject: RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall Chris Willis wrote: I have setup a FreeBSD box running PF for a client. It is the 'firewall' for their internal LAN. I cannot make an outbound VPN connection from their LAN to any other microsoft PPTP VPN server. The VPN connections work fine from any machine that plugs in to the hub in FRONT of the firewall (static public IP), but that obviously isn't the solution. What changes need to be made to the ruleset to allow outbound PPTP connections? Here is the existing NAT rule I though might work based on browsing the Archives: nat on fxp0 proto udp from 172.16.0.0/16 port = 500 to any - 206.135.37.226 port 500 But it didn't help at all. I put that rule both in front of, and behind, the regular NAT rule for outbound network traffic. I hate to say it Chris, but have you bothered to even find out what ports/protocols PPTP actually uses? Perhaps TCP 1723 and GRE?
RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Post your rule set. Chris Willis wrote: Ok, this is not a PPTP connection from the internet TO a box on the internal LAN. This is a problems with making a PPTP connection from the internal LAN to any PPTP server out on the internet. Thus, TCP 1723 and GRE are not the issue. I am passing ALL from the internal LAN to the internet. I used FWBuilder to create the policy for the FreeBSD box. When I install Linux 2.6 in place of the freebsd box, and use the exact same FWBuilder ruleset, then outbound PPTP works great. Any other thoughts? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Melameth, Daniel D. Sent: Saturday, March 11, 2006 12:27 AM To: pf@benzedrine.cx Subject: RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall Chris Willis wrote: I have setup a FreeBSD box running PF for a client. It is the 'firewall' for their internal LAN. I cannot make an outbound VPN connection from their LAN to any other microsoft PPTP VPN server. The VPN connections work fine from any machine that plugs in to the hub in FRONT of the firewall (static public IP), but that obviously isn't the solution. What changes need to be made to the ruleset to allow outbound PPTP connections? Here is the existing NAT rule I though might work based on browsing the Archives: nat on fxp0 proto udp from 172.16.0.0/16 port = 500 to any - 206.135.37.226 port 500 But it didn't help at all. I put that rule both in front of, and behind, the regular NAT rule for outbound network traffic. I hate to say it Chris, but have you bothered to even find out what ports/protocols PPTP actually uses? Perhaps TCP 1723 and GRE?
Re: ping: wrote x.x.x.x 64 chars, ret=-1
Convert all your block rules to use log, sniff on pflog0, with -e and -s 2048 That should tell you what rule is blocking the first few. My hunch is that some kind of state is getting set up by the ICMP echo replies, and thus future requests are being passed. In any case, the no route to host suggests that it is pf that is blocking it. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484