I finally managed to find the problem and fix it! \o/
I had an alias called "pptp" pointing to port 1723.
Ironically this effectively disabled any incoming PPTP traffic.
Reason: somewhere in the firewall while building up the rules this alias
makes it into the rulebase as an interface and thus you end up with a
pointless rule like this:
pass in quick on 1723 all keep state label "USER_RULE: Permit everything
via PPTP"
When I changed the alias to pptp_signal the rule build up script would
start to create the right rules:
pass in quick on ng1 all keep state label "USER_RULE: Permit everything
via PPTP"
pass in quick on ng2 all keep state label "USER_RULE: Permit everything
via PPTP"
[...]
So since this is not exactly intuitive and cost me a few grey hairs ;)
either pptp should made a reserved word so that it can't be used as an
alias or some script needs to be patched so that an aliases won't be
substituted for an interface.
Cheers, Thorsten
Thorsten Kunz wrote:
Hi all,
I already posted this question to the Forum but without any luck. Maybe
somebody on this list has an idea of what the problem could be.
I have setup our PFS cluster to terminate PPTP connections. The server
itself seems to work nicely. I can connect with the (windows) client,
username/password are being checked and the defined IP address is being
assigned to the client. So the client and the PFS both tell me that the
connection was established successfully. So far so good.
But now start the problems: no matter what firewall rules I add to the
PPTP tab it would block all traffic coming in via PPTP. I tried "permit
everything" rules as well as specific rules for e.g. ssh. Not working at
all no matter how I try it. The firewall log would always show me
blocked traffic like this:
Jul 17 05:11:00 NG1 10.20.30.32:50517 208.75.8.32:22
TCP
and the triggered rule would be:
@164 block drop in log quick all label "Default block all just to be sure."
Here is the setup:
PPTP Client <-> INet <-> PFS <-> Server
The Server has an official IP address so there is no NAT going on. PFS
version is 1.2-beta2. Everything else the firewall is supposed to do
works very well.
I am out of ideas now and could really use some help. Any thoughts?
TIA, Thorsten
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]