On 3/14/06, John Wells <[EMAIL PROTECTED]> wrote: > Guys, > > I've been working through my first pfsense install, and have been > extremely impressed with all design decisions...until this morning. > > My configuration is pretty easy: > > - LAN > - WAN > - DMZ > - DMZ for wireless with PPTP VPN into LAN > > Should be easy enough to set up...I've been doing it with Linux fws for > years. However, whenever I enable the PPTP server on pfsense, the firewall > installs rules to allow PPTP traffic on ALL interfaces. So, if I want to > use pfsense's VPN capabilities to protect my wireless network, I have to > also expose my VPN to the world at large...NOT desired by any means. > > I posted a FAQ and received this in reply from Holger Bauer: > > "To answer your question: By enabling the PPTP-Server pfSense creates > rules behind the scenes" for all available interfaces to allow pptp > traffic. The user defined rules are created below these "system internal" > rules. There is no way to block this traffic in pfSense 1.0." > > I can fathom why one would not want to restrict all VPN initiation to a > particular interface or set of interfaces. > > So, two questions. > > 1. is this a conscious design decision, or only a feature waiting to > happen? If it is indeed a feature you'd be interested in, I'm willing to > roll up my sleeves if I can block some time. > > 2. is there an easy way to implement this behavior? Can I hack into the > hidden rules to restrict access to only my wireless interface?
This is all done in /etc/inc/filter.inc. I'm making a guess (no code in front of me while at work) that the rule is a 'pass in quick' to eliminate further rule processing. As a quick and dirty hack, you could duplicate those rules as user rules and then comment out the pfSense auto-generated ones in filter.inc (or just modify filter.inc to use the appropriate interface). The correct fix however (and the reason it won't see 1.0) is to have the rule(s) get created in the XML rule section when PPTP is enabled. This is a slightly harder change and I've got some "interesting" design ideas about it and all rules that we just dump in the rule file behind the scenes. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
