RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
-Original Message-
From: Chris Willis
Sent: Sunday, March 12, 2006 10:23 AM
To: 'Melameth, Daniel D.'
Subject: RE: Solution Request: I need to initiate outbound PPTP requests
thru FreeBSD firewall
This is what fwbuilder is creating.
set limit { frags 5000, states 1 }
set timeout adaptive.start 8000
set timeout adaptive.end 1
set optimization Normal
#
# Scrub rules
#
scrub in all fragment reassemble
scrub out all random-id
#
# Rule 0 (NAT)
# force mail server to NAT using same IP as incoming mail # nat on fxp0
proto {tcp udp icmp} from 192.168.254.253 to any - 64.62.37.227 # #
Rule 1 (NAT) # force outbound vpn traffic to source port 500 # nat on
fxp0 proto {tcp,udp} from 192.168.0.0/16 to any port 500 - 64.62.37.226
port 500 # # Rule 2 (NAT) # NAT all 1928 LAN clients to an IP address
on the external NIC # nat on fxp0 proto {tcp udp icmp} from
192.168.0.0/16 to any - 64.62.37.226 # # Rule 3 (NAT) # Port Forward
services to DC1 # rdr on fxp0 proto tcp from any to 64.62.37.226 port
3389 - 192.168.254.254 port 3389 rdr on fxp0 proto tcp from any to
64.62.37.226 port 1723 - 192.168.254.254 port 1723 rdr on fxp0 proto
udp from any to 64.62.37.226 port 500 - 192.168.254.254 port 500 rdr on
fxp0 proto 47 from any to 64.62.37.226 - 192.168.254.254 rdr on fxp0
proto 51 from any to 64.62.37.226 - 192.168.254.254 rdr on fxp0 proto
50 from any to 64.62.37.226 - 192.168.254.254 rdr on fxp0 proto tcp
from any to 64.62.37.226 port 22 - 192.168.254.254 port 22 # # Rule 4
(NAT) # Port Forward Services to MAIL1 # rdr on fxp0 proto tcp from any
to 64.62.37.227 port 110 - 192.168.254.253 port 110 rdr on fxp0 proto
tcp from any to 64.62.37.227 port 443 - 192.168.254.253 port 443 rdr on
fxp0 proto tcp from any to 64.62.37.227 port 3389 - 192.168.254.253
port 3389 rdr on fxp0 proto tcp from any to 64.62.37.227 port 80 -
192.168.254.253 port 80 # # Rule 5 (NAT) # port forward to the store
camera # rdr on fxp0 proto tcp from any to 64.62.37.228 port 80 -
192.168.202.96 port 80 # # Rule 6 (NAT) # # rdr on fxp0 proto tcp from
any to 64.62.37.226 port 23 - 192.168.200.11 port 23 # # Rule 7 (NAT)
# # rdr on fxp0 proto tcp from any to 64.62.37.229 port 11001 -
192.168.200.38 port 11001 rdr on fxp0 proto udp from any to 64.62.37.229
port 11001 - 192.168.200.38 port 11001 # # Rule 8 (NAT) # # rdr on
fxp0 proto tcp from any to 64.62.37.229 port 11002 - 192.168.202.19
port 21 # # Rule 9 (NAT) # # rdr on fxp0 proto tcp from any to
64.62.37.230 port 3389 - 192.168.254.255 port 3389
# Tables: (3)
table id4411F6F4.1 { 224.0.0.0/4 , 169.254.0.0/16 , 127.0.0.0/8 ,
10.0.0.0/8 , 192.168.0.0/12 , 192.0.2.0/24 , 0.0.0.0/8 } table
id4411F73B.2 { 64.62.37.226 , 64.62.37.227 , 64.62.37.228 ,
64.62.37.229 , 64.62.37.230 , 192.168.200.89 , 192.168.200.40 } table
id4411FCBC.1 { 192.168.0.0/16 , 66.134.48.170 }
#
# Rule 0 (fxp0)
# anti-spoof rule for external interfaces #
block in log quick on fxp0 inet from id4411F6F4.1 to any label
RULE 0 -- DROP
#
# Rule 0 (lo0)
# allow loopback to all - required to log onto box #
pass in log quick on lo0 inet from any to any keep state label
RULE 0 -- ACCEPT
pass out log quick on lo0 inet from any to any keep state label
RULE 0 -- ACCEPT
#
# Rule 0 (global)
# deny bad combinations of TCP flags
#
block in log quick inet proto tcp from any to any flags U/UA label
RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags RF/RF
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags RS/RS
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags SF/SF
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags
UAPRSF/UAPRSF label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags /UAPRSF
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags UPF/UAPRSF
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags UPSF/UAPRSF
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags
UARSF/UAPRSF label RULE 0 -- DROP
block out log quick inet proto tcp from any to any flags U/UA label
RULE 0 -- DROP
block out log quick inet proto tcp from any to any flags RF/RF
label RULE 0 -- DROP
block out log quick inet proto tcp from any to any flags RS/RS
label RULE 0 -- DROP
block out log quick inet proto tcp from any to any flags SF/SF
label RULE 0 -- DROP
block out log quick inet proto tcp from any to any flags
UAPRSF/UAPRSF label RULE 0 -- DROP
block out log quick inet proto tcp from any to any flags /UAPRSF
label RULE 0 -- DROP
block out log quick inet proto tcp from any to any flags UPF/UAPRSF
label RULE 0 -- DROP
block out log quick inet proto tcp from any to any flags UPSF/UAPRSF
label RULE 0 -- DROP
block out log quick inet proto tcp from any to any flags
UARSF/UAPRSF label RULE
Re: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Chris Willis [EMAIL PROTECTED] writes: I used FWBuilder to create the policy for the FreeBSD box. When I install Linux 2.6 in place of the freebsd box, and use the exact same FWBuilder ruleset, then outbound PPTP works great. To me, this sounds like FWBuilder's PF rule generator is buggier than its iptables script generator. You may not be aware that something or other did something seriously ugly to your rule set before it made it out to us. Recovering the format was not pleasant. Reading your rule set, a few things jump out at once (that is, after inserting sensible line breaks): * logic: have you checked that the address ranges in the tables you 'block quick' do not overlap with the address ranges you are actually using yourself? Rule evaluation order could be tripping you up. * logic: why do you list which protocols to NAT? If you NAT, you want to NAT everything, but limit what to *pass*. * logic: why is every filter rule a quick rule? * readability: why is every 'pass in' paired with a matching 'pass out' rule? * readability: why do you go for protocol numbers in your rdr rules, not names? This is certainly not a comprehensive analysis, but do look into the logic issues here. The readability issues are probably byproducts of using a GUI tool, so I won't beat you over the head with them just yet. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.
RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Hi
I have some suggestion below.
--- Chris Willis [EMAIL PROTECTED] wrote:
-Original Message-
From: Chris Willis
Sent: Sunday, March 12, 2006 10:23 AM
To: 'Melameth, Daniel D.'
Subject: RE: Solution Request: I need to initiate outbound PPTP
requests
thru FreeBSD firewall
This is what fwbuilder is creating.
set limit { frags 5000, states 1 }
set timeout adaptive.start 8000
set timeout adaptive.end 1
set optimization Normal
#
# Scrub rules
#
scrub in all fragment reassemble
scrub out all random-id
#
# Rule 0 (NAT)
# force mail server to NAT using same IP as incoming mail # nat on
fxp0
proto {tcp udp icmp} from 192.168.254.253 to any - 64.62.37.227 # #
Rule 0
nat on fxp0 from 192.168.254.253 to any - 64.62.37.22
Rule 1 (NAT) # force outbound vpn traffic to source port 500 # nat
on
fxp0 proto {tcp,udp} from 192.168.0.0/16 to any port 500 -
64.62.37.226
port 500 # # Rule 2 (NAT) # NAT all 1928 LAN clients to an IP
address
on the external NIC # nat on fxp0 proto {tcp udp icmp} from
192.168.0.0/16 to any - 64.62.37.226 #
nat on fxp0 from 192.168.0.0/16 to any - 64.62.37.22
that enough for pptp nat
pass in quick on $int_if proto gre from any to any keep state
pass in quick on $int_if inet proto tcp from any to any port = 1723
flags S/SA keep state
pass out quick on $ext_if proto gre from any to any keep state
I'm using OpenBSD 3.8 and above 3 rules are enough.By the way 3.8 do
not need to pass in/out gre proto.
Also check sysctl net.inet.gre.allow
Rules are very hard to read.Try pf.conf with minimal ruleset.FWbuilder
seem to me have bug.
Best regards
Tihomir
# Rule 3 (NAT) # Port
Forward
services to DC1 # rdr on fxp0 proto tcp from any to 64.62.37.226 port
3389 - 192.168.254.254 port 3389
rdr on fxp0 proto tcp from any to
64.62.37.226 port 1723 - 192.168.254.254 port 1723
rdr on fxp0 proto
udp from any to 64.62.37.226 port 500 - 192.168.254.254 port 500 rdr
on
fxp0 proto 47 from any to 64.62.37.226 - 192.168.254.254 rdr on fxp0
proto 51 from any to 64.62.37.226 - 192.168.254.254 rdr on fxp0
proto
50 from any to 64.62.37.226 - 192.168.254.254 rdr on fxp0 proto tcp
from any to 64.62.37.226 port 22 - 192.168.254.254 port 22 # # Rule
4
(NAT) # Port Forward Services to MAIL1 # rdr on fxp0 proto tcp from
any
to 64.62.37.227 port 110 - 192.168.254.253 port 110 rdr on fxp0
proto
tcp from any to 64.62.37.227 port 443 - 192.168.254.253 port 443 rdr
on
fxp0 proto tcp from any to 64.62.37.227 port 3389 - 192.168.254.253
port 3389 rdr on fxp0 proto tcp from any to 64.62.37.227 port 80 -
192.168.254.253 port 80 # # Rule 5 (NAT) # port forward to the store
camera # rdr on fxp0 proto tcp from any to 64.62.37.228 port 80 -
192.168.202.96 port 80 # # Rule 6 (NAT) # # rdr on fxp0 proto tcp
from
any to 64.62.37.226 port 23 - 192.168.200.11 port 23 # # Rule 7
(NAT)
# # rdr on fxp0 proto tcp from any to 64.62.37.229 port 11001 -
192.168.200.38 port 11001 rdr on fxp0 proto udp from any to
64.62.37.229
port 11001 - 192.168.200.38 port 11001 # # Rule 8 (NAT) # # rdr on
fxp0 proto tcp from any to 64.62.37.229 port 11002 - 192.168.202.19
port 21 # # Rule 9 (NAT) # # rdr on fxp0 proto tcp from any to
64.62.37.230 port 3389 - 192.168.254.255 port 3389
# Tables: (3)
table id4411F6F4.1 { 224.0.0.0/4 , 169.254.0.0/16 , 127.0.0.0/8 ,
10.0.0.0/8 , 192.168.0.0/12 , 192.0.2.0/24 , 0.0.0.0/8 } table
id4411F73B.2 { 64.62.37.226 , 64.62.37.227 , 64.62.37.228 ,
64.62.37.229 , 64.62.37.230 , 192.168.200.89 , 192.168.200.40 } table
id4411FCBC.1 { 192.168.0.0/16 , 66.134.48.170 }
#
# Rule 0 (fxp0)
# anti-spoof rule for external interfaces #
block in log quick on fxp0 inet from id4411F6F4.1 to any
label
RULE 0 -- DROP
#
# Rule 0 (lo0)
# allow loopback to all - required to log onto box #
pass in log quick on lo0 inet from any to any keep state label
RULE 0 -- ACCEPT
pass out log quick on lo0 inet from any to any keep state label
RULE 0 -- ACCEPT
#
# Rule 0 (global)
# deny bad combinations of TCP flags
#
block in log quick inet proto tcp from any to any flags U/UA
label
RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags RF/RF
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags RS/RS
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags SF/SF
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags
UAPRSF/UAPRSF label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags /UAPRSF
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags
UPF/UAPRSF
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags
UPSF/UAPRSF
label RULE 0 -- DROP
block in log quick inet proto tcp from any to any flags
UARSF/UAPRSF label RULE 0 -- DROP
block out
RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Chris Willis wrote: I have setup a FreeBSD box running PF for a client. It is the 'firewall' for their internal LAN. I cannot make an outbound VPN connection from their LAN to any other microsoft PPTP VPN server. The VPN connections work fine from any machine that plugs in to the hub in FRONT of the firewall (static public IP), but that obviously isn't the solution. What changes need to be made to the ruleset to allow outbound PPTP connections? Here is the existing NAT rule I though might work based on browsing the Archives: nat on fxp0 proto udp from 172.16.0.0/16 port = 500 to any - 206.135.37.226 port 500 But it didn't help at all. I put that rule both in front of, and behind, the regular NAT rule for outbound network traffic. I hate to say it Chris, but have you bothered to even find out what ports/protocols PPTP actually uses? Perhaps TCP 1723 and GRE?
Re: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Chris Willis [EMAIL PROTECTED] writes: What changes need to be made to the ruleset to allow outbound PPTP connections? Here is the existing NAT rule I though might work based on browsing the Archives: googlemancy on PF NAT PPTP seems to indicate that some sort of proxying (see eg http://undeadly.org/cgi?action=articlesid=20041009000521) and letting gre traffic pass is needed. I actually downloaded and started fiddling with frickin rather soon after it was announced, but before I had a working setup, the users who wanted to use a Microsoft VPN for something or other thought of some other way to do what they needed. (Microsoft - no, there's always an easier way :)) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.
RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Peter N. M. Hansteen wrote: Chris Willis [EMAIL PROTECTED] writes: What changes need to be made to the ruleset to allow outbound PPTP connections? Here is the existing NAT rule I though might work based on browsing the Archives: googlemancy on PF NAT PPTP seems to indicate that some sort of proxying (see eg http://undeadly.org/cgi?action=articlesid=20041009000521) and letting gre traffic pass is needed. Outside of the call id field/two users behind the firewall cannot make a connection to the same PPTP server issue, which might be addressed in the latest releases, this works without incident for me.
RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Ok, this is not a PPTP connection from the internet TO a box on the internal LAN. This is a problems with making a PPTP connection from the internal LAN to any PPTP server out on the internet. Thus, TCP 1723 and GRE are not the issue. I am passing ALL from the internal LAN to the internet. I used FWBuilder to create the policy for the FreeBSD box. When I install Linux 2.6 in place of the freebsd box, and use the exact same FWBuilder ruleset, then outbound PPTP works great. Any other thoughts? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Melameth, Daniel D. Sent: Saturday, March 11, 2006 12:27 AM To: pf@benzedrine.cx Subject: RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall Chris Willis wrote: I have setup a FreeBSD box running PF for a client. It is the 'firewall' for their internal LAN. I cannot make an outbound VPN connection from their LAN to any other microsoft PPTP VPN server. The VPN connections work fine from any machine that plugs in to the hub in FRONT of the firewall (static public IP), but that obviously isn't the solution. What changes need to be made to the ruleset to allow outbound PPTP connections? Here is the existing NAT rule I though might work based on browsing the Archives: nat on fxp0 proto udp from 172.16.0.0/16 port = 500 to any - 206.135.37.226 port 500 But it didn't help at all. I put that rule both in front of, and behind, the regular NAT rule for outbound network traffic. I hate to say it Chris, but have you bothered to even find out what ports/protocols PPTP actually uses? Perhaps TCP 1723 and GRE?
RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall
Post your rule set. Chris Willis wrote: Ok, this is not a PPTP connection from the internet TO a box on the internal LAN. This is a problems with making a PPTP connection from the internal LAN to any PPTP server out on the internet. Thus, TCP 1723 and GRE are not the issue. I am passing ALL from the internal LAN to the internet. I used FWBuilder to create the policy for the FreeBSD box. When I install Linux 2.6 in place of the freebsd box, and use the exact same FWBuilder ruleset, then outbound PPTP works great. Any other thoughts? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Melameth, Daniel D. Sent: Saturday, March 11, 2006 12:27 AM To: pf@benzedrine.cx Subject: RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall Chris Willis wrote: I have setup a FreeBSD box running PF for a client. It is the 'firewall' for their internal LAN. I cannot make an outbound VPN connection from their LAN to any other microsoft PPTP VPN server. The VPN connections work fine from any machine that plugs in to the hub in FRONT of the firewall (static public IP), but that obviously isn't the solution. What changes need to be made to the ruleset to allow outbound PPTP connections? Here is the existing NAT rule I though might work based on browsing the Archives: nat on fxp0 proto udp from 172.16.0.0/16 port = 500 to any - 206.135.37.226 port 500 But it didn't help at all. I put that rule both in front of, and behind, the regular NAT rule for outbound network traffic. I hate to say it Chris, but have you bothered to even find out what ports/protocols PPTP actually uses? Perhaps TCP 1723 and GRE?
