From owner-freebsd-ipfw Mon Feb 21 5:37: 2 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from distortion.dk (distortion.dk [195.249.147.156]) by hub.freebsd.org (Postfix) with ESMTP id 263BE37BD5A for ; Mon, 21 Feb 2000 05:36:55 -0800 (PST) (envelope-from nppmf@swamp.dk) Received: from localhost (nppmf@localhost) by distortion.dk (8.9.3/8.9.1) with ESMTP id OAA30945 for ; Mon, 21 Feb 2000 14:46:28 +0100 (CET) (envelope-from nppmf@swamp.dk) Date: Mon, 21 Feb 2000 14:46:28 +0100 (CET) From: "Nicolai Petri (ML)" X-Sender: nppmf@distortion.dk To: freebsd-ipfw@freebsd.org Subject: keep-state option in CURRENT. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I was wondering what the progress for keep-state is in current. I'm currently using it for test and it looks very nice.. But it seems that my dynamic rules are never deleted. Is this a bug or is it just not implemented yet. I'm currently developing a firewall concept on FreeBSD and is very interrested in the ongoing effort. If I'm going to contrib to the source, witch areas does need attention ? --- Regards, Nicolai Petri IT-Consultant To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 21 5:43:53 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id A317937BD5A for ; Mon, 21 Feb 2000 05:43:48 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id OAA93003; Mon, 21 Feb 2000 14:43:25 +0100 (CET) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200002211343.OAA93003@info.iet.unipi.it> Subject: Re: keep-state option in CURRENT. In-Reply-To: from "Nicolai Petri (ML)" at "Feb 21, 2000 02:46:28 pm" To: "Nicolai Petri (ML)" Date: Mon, 21 Feb 2000 14:43:24 +0100 (CET) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I was wondering what the progress for keep-state is in current. I'm > currently using it for test and it looks very nice.. But it seems that my it's working in both -current and -stable. > dynamic rules are never deleted. Is this a bug or is it just not > implemented yet. They expire after some time (variable between 5 and 300s depending on the state), but expired rules are deleted in a lazy way, only when the code goes through them while scanning for matching rules or trying to find space. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 21 6: 6:10 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from distortion.dk (distortion.dk [195.249.147.156]) by hub.freebsd.org (Postfix) with ESMTP id 44F3137BBB1 for ; Mon, 21 Feb 2000 06:06:06 -0800 (PST) (envelope-from nppmf@swamp.dk) Received: from localhost (nppmf@localhost) by distortion.dk (8.9.3/8.9.1) with ESMTP id PAA31247; Mon, 21 Feb 2000 15:15:01 +0100 (CET) (envelope-from nppmf@swamp.dk) Date: Mon, 21 Feb 2000 15:15:00 +0100 (CET) From: "Nicolai Petri (ML)" X-Sender: nppmf@distortion.dk To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: keep-state option in CURRENT. In-Reply-To: <200002211343.OAA93003@info.iet.unipi.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 21 Feb 2000, Luigi Rizzo wrote: > > dynamic rules are never deleted. Is this a bug or is it just not > > implemented yet. > > They expire after some time (variable between 5 and 300s depending > on the state), but expired rules are deleted in a lazy way, only > when the code goes through them while scanning for matching rules > or trying to find space. What is the result of the following ruleset : 1000 allow ip from ${MYIPADDR} to any keep-state 1100 allow ip from any to ${MYIPADD} 23 keep-state 1200 deny all from any to any In this setup when will the dynamic rules be deleted ? Is it when a incoming packet is hitting a deny rule or when there is more then X rules and a new dynamic rule is created ? --- Nicolai Petri To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 21 6:16:33 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 7859137BD5A for ; Mon, 21 Feb 2000 06:16:09 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id PAA93177; Mon, 21 Feb 2000 15:15:34 +0100 (CET) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200002211415.PAA93177@info.iet.unipi.it> Subject: Re: keep-state option in CURRENT. In-Reply-To: from "Nicolai Petri (ML)" at "Feb 21, 2000 03:15:00 pm" To: "Nicolai Petri (ML)" Date: Mon, 21 Feb 2000 15:15:34 +0100 (CET) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > 1000 allow ip from ${MYIPADDR} to any keep-state > 1100 allow ip from any to ${MYIPADD} 23 keep-state > 1200 deny all from any to any > > In this setup when will the dynamic rules be deleted ? > Is it when a incoming packet is hitting a deny rule or when there is more > then X rules and a new dynamic rule is created ? rule 1100 above is not even legal. You should write the following rules ipfw add 100 check-state ipfw add 200 deny tcp from any to any established ipfw add 1000 allow tcp from ${MYIPADDR} to any setup keep-state ipfw add 1100 allow tcp from any to ${MYIPADDR} setup keep-state ipfw add 2000 deny tcp from any to any and then something else for other udp/tcp packets perhaps ipfw add 1200 allow udp from ${MYIPADDR} to any keep-state to let outgoing udp connections "open the firewall" (note that rule 1100 will let request from the outside to be accepted, maybe you want to restrict the allowed sources). cheers luigi > --- > Nicolai Petri > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 21 6:35:38 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from distortion.dk (distortion.dk [195.249.147.156]) by hub.freebsd.org (Postfix) with ESMTP id 90C1837BD5A for ; Mon, 21 Feb 2000 06:35:32 -0800 (PST) (envelope-from nppmf@swamp.dk) Received: from localhost (nppmf@localhost) by distortion.dk (8.9.3/8.9.1) with ESMTP id PAA31497; Mon, 21 Feb 2000 15:44:34 +0100 (CET) (envelope-from nppmf@swamp.dk) Date: Mon, 21 Feb 2000 15:44:34 +0100 (CET) From: "Nicolai Petri (ML)" X-Sender: nppmf@distortion.dk To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: keep-state option in CURRENT. In-Reply-To: <200002211415.PAA93177@info.iet.unipi.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 21 Feb 2000, Luigi Rizzo wrote: > rule 1100 above is not even legal. sorry. I forgot the tcp. > > You should write the following rules > > ipfw add 100 check-state > ipfw add 200 deny tcp from any to any established > ipfw add 1000 allow tcp from ${MYIPADDR} to any setup keep-state > ipfw add 1100 allow tcp from any to ${MYIPADDR} setup keep-state > ipfw add 2000 deny tcp from any to any > > and then something else for other udp/tcp packets perhaps > > ipfw add 1200 allow udp from ${MYIPADDR} to any keep-state Perfekt. I do not know why i missed the check-state rule.. Would it be an idea to check if there is a check-state entry ? I think it could bite a lot of people because the firewall simply fills up the ruletable and never clears it. (It looks really nasty on the console btw.) What about the invalid state messages i recieve .. Is it something I should trace or is it simply not handle 100% yet? But else it works fine. Great work.. --- Nicolai Petri To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 21 6:40:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 16B9937BDE8 for ; Mon, 21 Feb 2000 06:40:24 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id PAA93283; Mon, 21 Feb 2000 15:39:56 +0100 (CET) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200002211439.PAA93283@info.iet.unipi.it> Subject: Re: keep-state option in CURRENT. In-Reply-To: from "Nicolai Petri (ML)" at "Feb 21, 2000 03:44:34 pm" To: "Nicolai Petri (ML)" Date: Mon, 21 Feb 2000 15:39:55 +0100 (CET) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > You should write the following rules ... > Perfekt. I do not know why i missed the check-state rule.. Would it be an > idea to check if there is a check-state entry ? I think it could bite a > lot of people because the firewall simply fills up the ruletable and never > clears it. (It looks really nasty on the console btw.) not sure what you mean -- state is checked at the first keep-state rule anyways (did i mention this in the manpage ? I hope so...) so the ruletable should clear out. I hope you have the latest version of the code, i did a couple of small commits after the first one... > What about the invalid state messages i recieve .. Is it something I > should trace or is it simply not handle 100% yet? invalid state msgs should be those for udp perhaps... maybe i should make the thing a bit less verbose. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 22 12:57:27 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 9DF7C37B690 for ; Tue, 22 Feb 2000 12:57:23 -0800 (PST) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id MAA30634; Tue, 22 Feb 2000 12:57:16 -0800 (PST) From: Archie Cobbs Message-Id: <200002222057.MAA30634@bubba.whistle.com> Subject: Re: ipfw and the GRE protocol In-Reply-To: from Jeff Lush at "Feb 12, 2000 10:54:17 am" To: jeff@nerdpower.com (Jeff Lush) Date: Tue, 22 Feb 2000 12:57:16 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jeff Lush writes: > I'm trying to setup VPN to an NT machine going through ipfw/natd. All > documentation says to open the GRE protocol on the firewall; however, I > can't find any documentation on how to enable the GRE protocol on all ports. > I would appreciate some advice. Did you try this? ipfw add 100 allow gre from any to any -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 23 7:14: 1 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from zero.arkaine.com (zero.arkaine.com [206.217.210.40]) by hub.freebsd.org (Postfix) with ESMTP id 98CAB37B8D2 for ; Wed, 23 Feb 2000 07:13:49 -0800 (PST) (envelope-from andre@arkaine.com) Received: from s.arkaine.com (s.arkaine.com [192.168.10.10]) by zero.arkaine.com (8.9.3/8.9.3) with ESMTP id LAA02410; Wed, 23 Feb 2000 11:07:26 -0500 (EST) (envelope-from andre@arkaine.com) Received: by s.arkaine.com with Internet Mail Service (5.5.2650.21) id ; Wed, 23 Feb 2000 10:15:33 -0500 Message-ID: <6C191944837ED311863A00104BC7598F77C2@s.arkaine.com> From: Andre Chang To: "'Archie Cobbs'" , jeff@nerdpower.com Cc: freebsd-ipfw@FreeBSD.ORG Subject: RE: ipfw and the GRE protocol Date: Wed, 23 Feb 2000 10:15:32 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Was there any resolution to this issue? I was following the thread and setup a similar test enviroment using ipfw/natd using rules: $fwcmd add pass tcp from any to 192.168.10.10 1723 via fxp0 $fwcmd add pass log gre from any to any (where 192.168.10.10 is the internal NT mahcine) It seems that there is initial connectivity but when the client starts passing the gre packets, the ipfw/natd machine accepts and logs them but dosent pass them to the internal NT machine. The client times out with the error "The computer you are dialing dosent respond to a network request.." and the server logs an "authentication timeout". I've tried a static natd ip address with the same results. I 'm thinking that if the FreeBSD machine is setup with bridge/ipfw instead of ipfw/natd the gre packets would reach their final destination? maybe this is a better firewalling configuration? .. Maybe I'm getting ahead of myself. Any info greatly appreciated. Thanks. -- Andre. -----Original Message----- From: Archie Cobbs [mailto:archie@whistle.com] Sent: Tuesday, February 22, 2000 3:57 PM To: jeff@nerdpower.com Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and the GRE protocol Jeff Lush writes: > I'm trying to setup VPN to an NT machine going through ipfw/natd. All > documentation says to open the GRE protocol on the firewall; however, I > can't find any documentation on how to enable the GRE protocol on all ports. > I would appreciate some advice. Did you try this? ipfw add 100 allow gre from any to any -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 23 10:33:40 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 8840937B79D for ; Wed, 23 Feb 2000 10:33:38 -0800 (PST) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id KAA87950; Wed, 23 Feb 2000 10:32:59 -0800 (PST) From: Archie Cobbs Message-Id: <200002231832.KAA87950@bubba.whistle.com> Subject: Re: ipfw and the GRE protocol In-Reply-To: <6C191944837ED311863A00104BC7598F77C2@s.arkaine.com> from Andre Chang at "Feb 23, 2000 10:15:32 am" To: andre@arkaine.com (Andre Chang) Date: Wed, 23 Feb 2000 10:32:59 -0800 (PST) Cc: jeff@nerdpower.com, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Andre Chang writes: > Was there any resolution to this issue? I was following the thread and setup > a similar test enviroment using ipfw/natd using rules: > > $fwcmd add pass tcp from any to 192.168.10.10 1723 via fxp0 > $fwcmd add pass log gre from any to any PPTP does not pass cleanly through address translation without specific support -- it's very analogous to the way active mode FTP works. Erik Salander is actually working on adding this support to libalias right now at Whistle but it won't be finished for a while. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 23 10:39: 1 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jetsam.com (flotsam.jetsam.com [205.179.180.122]) by hub.freebsd.org (Postfix) with ESMTP id 7D7C037B79D for ; Wed, 23 Feb 2000 10:38:56 -0800 (PST) (envelope-from paulo@jetsam.com) Received: (from paulo@localhost) by jetsam.com (8.9.3/8.9.3) id KAA01964 for Paul.Orr@jetsam.com; Wed, 23 Feb 2000 10:39:19 -0800 (PST) From: Paul Orr Message-Id: <200002231839.KAA01964@jetsam.com> Subject: two ethernet connections...tell a packet to go back the way it came.. To: freebsd-ipfw@freebsd.org Date: Wed, 23 Feb 2000 10:39:19 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG One machine. Two ethernets. An ISP on each ethernet connection. A packet comes in through interface #1. Need to tell the reply to go back through interface #1. Same situation for interface #2. Does anything exist for this kinda setup? Thanks Paul Orr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 23 11: 9:27 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from biff.nerdpower.net (c13574-005.nerdpower.net [24.108.80.110]) by hub.freebsd.org (Postfix) with SMTP id 9924437B98A for ; Wed, 23 Feb 2000 11:09:23 -0800 (PST) (envelope-from jeff@nerdpower.com) Received: (qmail 76435 invoked by alias); 23 Feb 2000 19:10:17 -0000 Received: from flanders.nerdpower.net (HELO flanders) (24.108.80.209) by biff.nerdpower.net with SMTP; 23 Feb 2000 19:10:17 -0000 From: "Jeff Lush" To: "Andre Chang" , "'Archie Cobbs'" Cc: Subject: RE: ipfw and the GRE protocol Date: Wed, 23 Feb 2000 12:08:29 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <6C191944837ED311863A00104BC7598F77C2@s.arkaine.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Andre, I am having the same problems with natd/ipfw. NT accepts the connection on 1723, then the client stops on error 650. I have tried everything I can think of, but here is a thought: I have natd setup to read natd.conf In natd.conf I have: -- redirect_port tcp 192.168.10.14:1723 199.185.130.34:1723 # Allows for initial connection to VPN -- Then I add " -pptpalias 192.168.10.14" to the natd startup in rc.network When I boot it, I get no screen info that says pptpalias is functioning. My thinking was this was my problem (pptpalias not working), but now that I see you're having the same problem, I am changing my mind. Any ideas or comment are always appreciated. -Jeff > Hi, > > Was there any resolution to this issue? I was following the > thread and setup > a similar test enviroment using ipfw/natd using rules: > > $fwcmd add pass tcp from any to 192.168.10.10 1723 via fxp0 > $fwcmd add pass log gre from any to any > > (where 192.168.10.10 is the internal NT mahcine) > > It seems that there is initial connectivity but when the client starts > passing the gre packets, the ipfw/natd machine accepts and logs them but > dosent pass them to the internal NT machine. The client times out with the > error "The computer you are dialing dosent respond to a network request.." > and the server logs an "authentication timeout". > > I've tried a static natd ip address with the same results. I 'm thinking > that if the FreeBSD machine is setup with bridge/ipfw instead of ipfw/natd > the gre packets would reach their final destination? maybe this > is a better > firewalling configuration? .. Maybe I'm getting ahead of myself. > > Any info greatly appreciated. Thanks. > > -- Andre. > > -----Original Message----- > From: Archie Cobbs [mailto:archie@whistle.com] > Sent: Tuesday, February 22, 2000 3:57 PM > To: jeff@nerdpower.com > Cc: freebsd-ipfw@FreeBSD.ORG > Subject: Re: ipfw and the GRE protocol > > > Jeff Lush writes: > > I'm trying to setup VPN to an NT machine going through ipfw/natd. All > > documentation says to open the GRE protocol on the firewall; however, I > > can't find any documentation on how to enable the GRE protocol on all > ports. > > I would appreciate some advice. > > Did you try this? > > ipfw add 100 allow gre from any to any > > -Archie > > __________________________________________________________________ > _________ > Archie Cobbs * Whistle Communications, Inc. * > http://www.whistle.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 23 11: 9:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from biff.nerdpower.net (c13574-005.nerdpower.net [24.108.80.110]) by hub.freebsd.org (Postfix) with SMTP id 303F737B98C for ; Wed, 23 Feb 2000 11:09:25 -0800 (PST) (envelope-from jeff@nerdpower.com) Received: (qmail 76439 invoked by alias); 23 Feb 2000 19:10:17 -0000 Received: from flanders.nerdpower.net (HELO flanders) (24.108.80.209) by biff.nerdpower.net with SMTP; 23 Feb 2000 19:10:17 -0000 From: "Jeff Lush" To: "Archie Cobbs" , "Andre Chang" Cc: Subject: RE: ipfw and the GRE protocol Date: Wed, 23 Feb 2000 12:08:30 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <200002231832.KAA87950@bubba.whistle.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Archie Cobbs writes: > Andre Chang writes: > > Was there any resolution to this issue? I was following the > thread and setup > > a similar test enviroment using ipfw/natd using rules: > > > > $fwcmd add pass tcp from any to 192.168.10.10 1723 via fxp0 > > $fwcmd add pass log gre from any to any > > PPTP does not pass cleanly through address translation without > specific support -- it's very analogous to the way active mode FTP > works. I would assume this is where "-pptpalias local ip" comes into play with natd? > Erik Salander is actually working on adding this support to libalias > right now at Whistle but it won't be finished for a while. Has anyone ever had natd/ipfw passing clunky old M$ VPN packets back and forth? Thanks for the help! > -Archie > > __________________________________________________________________ > _________ > Archie Cobbs * Whistle Communications, Inc. * > http://www.whistle.com - Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 23 11:31:42 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.ultimanet.com (relay.ultimanet.com [205.179.129.1]) by hub.freebsd.org (Postfix) with ESMTP id B93AF37B92B for ; Wed, 23 Feb 2000 11:31:40 -0800 (PST) (envelope-from randy@Cloudfactory.ORG) Received: from Cloudfactory.ORG (cloudfactory.org [205.179.129.18]) by relay.ultimanet.com (8.9.3/8.9.3) with ESMTP id LAA24642 for ; Wed, 23 Feb 2000 11:34:26 -0800 Message-Id: <200002231934.LAA24642@relay.ultimanet.com> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: two ethernet connections...tell a packet to go back the way it came.. In-Reply-To: Your message of "Wed, 23 Feb 2000 10:39:19 PST." <200002231839.KAA01964@jetsam.com> Date: Wed, 23 Feb 2000 11:33:48 -0800 From: Randy Primeaux Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Paul, What is your goal? That scenario sounds very static; routed(8) should do. You might consider gated with WAN protocols, such as BGP-4, for additional flexability. /usr/ports/net/gated How is ethernet connectivity delivered to the machine? Two routers? Paul Orr writes: > One machine. > Two ethernets. > An ISP on each ethernet connection. > A packet comes in through interface #1. > Need to tell the reply to go back through interface #1. > Same situation for interface #2. > Does anything exist for this kinda setup? -- Randy Primeaux randy@cloudfactory.org http://cloudfactory.org/~randy/ tranze@hyperreal.org http://hyperreal.org/~tranze/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 23 11:32:15 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id B027837B9C9 for ; Wed, 23 Feb 2000 11:32:07 -0800 (PST) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.3/8.9.2) id LAA94884; Wed, 23 Feb 2000 11:31:32 -0800 (PST) From: Archie Cobbs Message-Id: <200002231931.LAA94884@bubba.whistle.com> Subject: Re: ipfw and the GRE protocol In-Reply-To: from Jeff Lush at "Feb 23, 2000 12:08:30 pm" To: jeff@nerdpower.com (Jeff Lush) Date: Wed, 23 Feb 2000 11:31:32 -0800 (PST) Cc: andre@arkaine.com, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jeff Lush writes: > > > a similar test enviroment using ipfw/natd using rules: > > > > > > $fwcmd add pass tcp from any to 192.168.10.10 1723 via fxp0 > > > $fwcmd add pass log gre from any to any > > > > PPTP does not pass cleanly through address translation without > > specific support -- it's very analogous to the way active mode FTP > > works. > > I would assume this is where "-pptpalias local ip" comes into play with > natd? Yes, that should work -- but only for that one internal IP address. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 23 15:30:32 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from njexch01.etci.com (gw.etci.com [207.103.201.130]) by hub.freebsd.org (Postfix) with ESMTP id C562A37BC0A for ; Wed, 23 Feb 2000 15:30:28 -0800 (PST) (envelope-from ckbisk@bigfoot.com) Received: from chade (va.etci.com [209.8.36.8]) by njexch01.etci.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id FQJ7KHCN; Wed, 23 Feb 2000 14:14:59 -0500 Message-ID: <001901bf7e32$3b667c20$43110d0a@etci.com> From: "Chad K. Bisk" To: References: <200002231832.KAA87950@bubba.whistle.com> Subject: Re: ipfw and the GRE protocol Date: Wed, 23 Feb 2000 14:13:59 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Andre Chang writes: > > Was there any resolution to this issue? I was following the thread and setup > > a similar test enviroment using ipfw/natd using rules: > > > > $fwcmd add pass tcp from any to 192.168.10.10 1723 via fxp0 > > $fwcmd add pass log gre from any to any > > PPTP does not pass cleanly through address translation without > specific support -- it's very analogous to the way active mode FTP > works. > > Erik Salander is actually working on adding this support to libalias > right now at Whistle but it won't be finished for a while. > > -Archie I thought that was what natd -pptpalias a.b.c.d was for. Although truth be told I've never been able to get a PPTP client to connect through natd to a PPTP server behind ipfw. -- Chad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 23 16:25:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.rdc1.az.home.com (ha1.rdc1.az.home.com [24.1.240.66]) by hub.freebsd.org (Postfix) with ESMTP id 953E837BA55 for ; Wed, 23 Feb 2000 16:25:45 -0800 (PST) (envelope-from rreedy@home.com) Received: from pulsar ([24.1.212.202]) by mail.rdc1.az.home.com (InterMail v4.01.01.00 201-229-111) with SMTP id <20000224002545.FRWO3015.mail.rdc1.az.home.com@pulsar>; Wed, 23 Feb 2000 16:25:45 -0800 Reply-To: From: "Ryan Reedy" To: "'Chad K. Bisk'" , Subject: RE: ipfw and the GRE protocol Date: Wed, 23 Feb 2000 17:25:55 -0700 Message-ID: <000101bf7e5d$b78b6f10$0c00a8c0@pulsar.rreedy.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal In-Reply-To: <001901bf7e32$3b667c20$43110d0a@etci.com> X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have successfully setup up a pptp server behind ipfw/natd by doing the following (on 3.2) For NATD: use the -pptpalias a.b.c.d -redirect_port a.b.c.d:1723 1723 (this will only work for one machine on the internal network as far as I can tell) For IPFW: $fwcmd add pass tcp from any to a.b.c.d 1723 setup $fwcmd add pass tcp from any to any established $fwcmd add pass gre from any to any a.b.c.d is the internal ip address (and the divert rule is at the top of the list). gre is protocol 47, I think someone was missing this in the protocols file earlier. I've never tried to set this up on any other version which may be causing other issues. Also, sometimes the client has to dial, get refused and then dial again to get connected, but I haven't taken the time to see if this is a NT or firewall issue. Hope this helps! -Ryan > Andre Chang writes: > > Was there any resolution to this issue? I was following the thread and setup > > a similar test enviroment using ipfw/natd using rules: > > > > $fwcmd add pass tcp from any to 192.168.10.10 1723 via fxp0 > > $fwcmd add pass log gre from any to any > > PPTP does not pass cleanly through address translation without > specific support -- it's very analogous to the way active mode FTP > works. > > Erik Salander is actually working on adding this support to libalias > right now at Whistle but it won't be finished for a while. > > -Archie I thought that was what natd -pptpalias a.b.c.d was for. Although truth be told I've never been able to get a PPTP client to connect through natd to a PPTP server behind ipfw. -- Chad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 25 9:35:37 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpha.cnc.una.py (alpha.cnc.una.py [200.10.228.103]) by hub.freebsd.org (Postfix) with ESMTP id 0141937BD73 for ; Fri, 25 Feb 2000 09:34:01 -0800 (PST) (envelope-from jsegovia@alpha.cnc.una.py) Received: from jss ([200.10.228.69]) by alpha.cnc.una.py (8.9.3/8.9.3) with ESMTP id OAA26064 for ; Fri, 25 Feb 2000 14:34:25 -0400 (GMT-0400) Message-Id: <200002251834.OAA26064@alpha.cnc.una.py> From: jsegovia@cnc.una.py To: freebsd-ipfw@FreeBSD.ORG Date: Fri, 25 Feb 2000 14:35:29 -0400 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: keep-state and fwd In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12a) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'd like to know if anyone is using ipfw with keep-state and fwd (forwarding). I'm having trouble getting it to work. For example, if I have the following: ipfw add 10 check-state ipfw add 20 deny tcp from any to any established ipfw add 30 fwd 127.0.0.1,2525 tcp from _my_net_ to any 25 setup \ keep-state ipfw add 40 allow tcp from _my_net_ to any setup keep-state ipfw add 50 deny tcp from any to any And then $ telnet 127.0.0.1 25 I get an instant panic (double fault) If I telnet to another machine $ telnet some_other_machine 25 the connection is never established but an error is also never returned. If keep-state is not used (that is, fwd without keep-state) everything works fine but unfortunately I need ipfw to be stateful. I'm using -current and cvsup'd yesterday. Any help greatly appreciated. Juan -- Centro Nacional de Computacion Universidad Nacional de Asuncion Tel. +595 (21) 585 550 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 25 9:58:30 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 593C337B8CD for ; Fri, 25 Feb 2000 09:58:19 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id SAA13170; Fri, 25 Feb 2000 18:56:46 +0100 (CET) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200002251756.SAA13170@info.iet.unipi.it> Subject: Re: keep-state and fwd In-Reply-To: <200002251834.OAA26064@alpha.cnc.una.py> from "jsegovia@cnc.una.py" at "Feb 25, 2000 02:35:29 pm" To: jsegovia@cnc.una.py Date: Fri, 25 Feb 2000 18:56:46 +0100 (CET) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I'd like to know if anyone is using ipfw with keep-state > and fwd (forwarding). I'm having trouble getting it > to work. will look at it. can you compile a kernel with "options DDB" and show a trace when it fails ? cheers luigi > For example, if I have the following: > > ipfw add 10 check-state > ipfw add 20 deny tcp from any to any established > ipfw add 30 fwd 127.0.0.1,2525 tcp from _my_net_ to any 25 setup \ > keep-state > ipfw add 40 allow tcp from _my_net_ to any setup keep-state > ipfw add 50 deny tcp from any to any > > And then > $ telnet 127.0.0.1 25 > > I get an instant panic (double fault) > > If I telnet to another machine > $ telnet some_other_machine 25 > > the connection is never established but an error is also > never returned. > > If keep-state is not used (that is, fwd without keep-state) > everything works fine but unfortunately I need ipfw to be > stateful. > > I'm using -current and cvsup'd yesterday. > > Any help greatly appreciated. > > Juan > -- > Centro Nacional de Computacion > Universidad Nacional de Asuncion > Tel. +595 (21) 585 550 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Feb 26 1:51:40 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id C0EE837B7CB for ; Sat, 26 Feb 2000 01:51:37 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id KAA17547; Sat, 26 Feb 2000 10:50:49 +0100 (CET) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200002260950.KAA17547@info.iet.unipi.it> Subject: Re: keep-state and fwd In-Reply-To: <200002251834.OAA26064@alpha.cnc.una.py> from "jsegovia@cnc.una.py" at "Feb 25, 2000 02:35:29 pm" To: jsegovia@cnc.una.py Date: Sat, 26 Feb 2000 10:50:49 +0100 (CET) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I am trying to figure out what is happening here. I think i am kind of close to understanding. The basic problem is that dynamic rules are bidirectional whereas 'fwd' rules are unidirectional. So if you write your code without keep-state you have something like 20 fwd ... tcp from ... to any 25 30 allow tcp from any to any and the return packets match rule 30. With keep-state, and the way you write your rules, you have packets in both direction match the 'fwd' rule, apparently resulting in an infinite loop. I am looking at a fix to make dynamic rules understand 'forward' (basically do the address rewrite in one direction, and behave as a 'pass' rule in the other one. I hope to fix this for the release of -current . cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Feb 26 11:33:16 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from njexch01.etci.com (gw.etci.com [207.103.201.130]) by hub.freebsd.org (Postfix) with ESMTP id 75BCC37B507 for ; Sat, 26 Feb 2000 11:33:07 -0800 (PST) (envelope-from ckbisk@bigfoot.com) Received: from chade (ip74.laurel4.md.pub-ip.psi.net [38.30.238.74]) by njexch01.etci.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id FTD76Y7K; Sat, 26 Feb 2000 14:33:21 -0500 Message-ID: <002701bf8090$4934b460$43110d0a@chade> From: "Chad K. Bisk" To: References: <000101bf7e5d$b78b6f10$0c00a8c0@pulsar.rreedy.com> Subject: Re: ipfw and the GRE protocol Date: Sat, 26 Feb 2000 14:32:53 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG It works! Thanks. Although I had to change my rc.conf entry to natd_flags="-redirect_port tcp 10.13.17.73:pptp pptp -pptpalias 10.13.17.73" for some reason (3.4 release) or natd would stop working. I look forward to Erik Salander's more general libalias solution. Since this problem was so easy for you all, here's a more interesting (though less troublesome) one: How does rule 65535 ever get packets? freebsd# ipfw list 00100 divert 8668 ip from any to any via ed1 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 10.0.0.0/8 to any in recv ed1 00400 deny ip from 111.222.33.0/24 to any in recv fxp0 00500 deny ip from 192.168.0.0/16 to any via ed1 00600 deny ip from any to 192.168.0.0/16 via ed1 00700 deny ip from 172.16.0.0/12 to any via ed1 00800 deny ip from any to 172.16.0.0/12 via ed1 00900 allow tcp from any to any established 01000 allow tcp from any to 111.222.33.44 25 setup 01100 allow tcp from any to 111.222.33.44 53 setup 01200 allow tcp from any to 111.222.33.44 80 setup 01300 allow tcp from any to any setup 01400 allow udp from any 53 to 111.222.33.44 01500 allow udp from 111.222.33.44 to any 53 01600 allow udp from any 123 to 111.222.33.44 01700 allow udp from 111.222.33.44 to any 123 65000 allow ip from any to any 65535 deny ip from any to any freebsd# ipfw show 00100 538708 242885311 divert 8668 ip from any to any via ed1 00100 12 832 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 912 110044 deny ip from 10.0.0.0/8 to any in recv ed1 00400 0 0 deny ip from 111.222.33.0/24 to any in recv fxp0 00500 0 0 deny ip from 192.168.0.0/16 to any via ed1 00600 0 0 deny ip from any to 192.168.0.0/16 via ed1 00700 0 0 deny ip from 172.16.0.0/12 to any via ed1 00800 0 0 deny ip from any to 172.16.0.0/12 via ed1 00900 935726 468654385 allow tcp from any to any established 01000 18 792 allow tcp from any to 111.222.33.44 25 setup 01100 2 80 allow tcp from any to 111.222.33.44 53 setup 01200 3 124 allow tcp from any to 111.222.33.44 80 setup 01300 23818 1088084 allow tcp from any to any setup 01400 204 43821 allow udp from any 53 to 111.222.33.44 01500 3190 197690 allow udp from 111.222.33.44 to any 53 01600 3113 236588 allow udp from any 123 to 111.222.33.44 01700 3153 239628 allow udp from 111.222.33.44 to any 123 65000 66466 9761689 allow ip from any to any 65535 4 463 deny ip from any to any It gets 2 during startup and 2 later fairly consistently. -- Chad ----- Original Message ----- From: "Ryan Reedy" To: "'Chad K. Bisk'" ; Sent: Wednesday, February 23, 2000 7:25 PM Subject: RE: ipfw and the GRE protocol > I have successfully setup up a pptp server behind ipfw/natd by > doing the following (on 3.2) > > For NATD: use the -pptpalias a.b.c.d -redirect_port a.b.c.d:1723 1723 > (this will only work for one machine on the internal network as far > as I can tell) > > For IPFW: > $fwcmd add pass tcp from any to a.b.c.d 1723 setup > $fwcmd add pass tcp from any to any established > $fwcmd add pass gre from any to any > > a.b.c.d is the internal ip address (and the divert rule is at the > top of the list). gre is protocol 47, I think someone was missing > this in the protocols file earlier. I've never tried to set this > up on any other version which may be causing other issues. Also, > sometimes the client has to dial, get refused and then dial again > to get connected, but I haven't taken the time to see if this is a > NT or firewall issue. > Hope this helps! > > -Ryan > > > Andre Chang writes: > > > Was there any resolution to this issue? I was following the thread and > setup > > > a similar test enviroment using ipfw/natd using rules: > > > > > > $fwcmd add pass tcp from any to 192.168.10.10 1723 via fxp0 > > > $fwcmd add pass log gre from any to any > > > > PPTP does not pass cleanly through address translation without > > specific support -- it's very analogous to the way active mode FTP > > works. > > > > Erik Salander is actually working on adding this support to libalias > > right now at Whistle but it won't be finished for a while. > > > > -Archie > > I thought that was what natd -pptpalias a.b.c.d was for. Although truth be > told I've never been able to get a PPTP client to connect through natd to a > PPTP server behind ipfw. > > -- Chad > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Feb 26 21:49:17 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from chmls05.mediaone.net (ne.mediaone.net [24.128.1.70]) by hub.freebsd.org (Postfix) with ESMTP id 5913B37B5BD; Sat, 26 Feb 2000 21:49:09 -0800 (PST) (envelope-from bloom@acm.org) Received: from acm.org (reyim.ne.mediaone.net [24.218.251.241]) by chmls05.mediaone.net (8.8.7/8.8.7) with ESMTP id AAA27609; Sun, 27 Feb 2000 00:49:06 -0500 (EST) Message-ID: <38B8BAC5.9927A56E@acm.org> Date: Sun, 27 Feb 2000 00:48:53 -0500 From: Jim Bloom X-Mailer: Mozilla 4.7 [en]C-MOENE (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-current@freebsd.org, freebsd-ipfw@freebsd.org Subject: cpp change breaks ipfw Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have been using cpp on my firewall to expand my local firewall rules and fill in the local address and subnetmask. This makes things easier my ISP decides to change my IP address using DHCP. My firewall is running an approximately one year old version of current and I'm trying to upgrade it to a recent version. I am running ipfw as "ipfw -p /usr/bin/cpp -Daddr=value1 -Dmask=value2 file". My firewall rules have been using constructs similar to the following if put in a file. #define addr 192.168.2.5 #define mask 255.255.254.0 add pass tcp from addr:mask to any 25 setup On the old version of current this expands to add pass tcp from 192.168.2.5:255.255.254.0 to any 25 setup but on a new version of current this expands to add pass tcp from 192.168.2.5 : 255.255.254.0 to any 25 setup Note the extra spaces around the colon. Unfortunately, this breaks ipfw which interprets the colon where it expects the "to". There are several options here: 1) Fix cpp to not emit the extra spaces 2) Fix ipfw to handle addresses being multiple arguments 3) Document the cpp is not a valid preprocessor for ipfw on the manual page. Option 1 seems like it might be a little difficult. Option 2 looks to be reasonably simple to implement after reading the code. Option 3 is the easiest, but I believe it is the wrong way to handle the problem. I can submit patches for 2 or 3 reasonably quickly. I have no idea about fixing cpp. Jim Bloom bloom@acm.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Feb 26 23: 5:13 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from sr14.nsw-remote.bigpond.net.au (sr14.nsw-remote.bigpond.net.au [24.192.3.29]) by hub.freebsd.org (Postfix) with ESMTP id D6B1F37B638 for ; Sat, 26 Feb 2000 23:05:08 -0800 (PST) (envelope-from areilly@nsw.bigpond.net.au) Received: from areilly.bpc-users.org (CPE-144-132-171-71.nsw.bigpond.net.au [144.132.171.71]) by sr14.nsw-remote.bigpond.net.au (Pro-8.9.3/8.9.3) with SMTP id SAA15143 for ; Sun, 27 Feb 2000 18:05:05 +1100 (EDT) Received: (qmail 1147 invoked by uid 1000); 27 Feb 2000 07:05:05 -0000 From: "Andrew Reilly" Date: Sun, 27 Feb 2000 18:05:05 +1100 To: Jim Bloom Cc: freebsd-current@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: cpp change breaks ipfw Message-ID: <20000227180504.A255@gurney.reilly.home> References: <38B8BAC5.9927A56E@acm.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <38B8BAC5.9927A56E@acm.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Feb 27, 2000 at 12:48:53AM -0500, Jim Bloom wrote: > I have been using cpp on my firewall to expand my local firewall rules and fill > in the local address and subnetmask. This makes things easier my ISP decides to > change my IP address using DHCP. My firewall is running an approximately one > year old version of current and I'm trying to upgrade it to a recent version. Probably not the answer you're looking for, but another approach to consider: I worked around this problem by having the dhclient-exit-hooks script edit the new address into /etc/hosts, and ipfw uses the symbolic name for the rule. Works quite nicely, but then I don't have any rules that rely on the DHCP-supplied netmask. And here's a picture: if [ x$new_ip_address != x ]; then cp /etc/hosts /tmp/hosts-foo sed -e /gurney-/d /tmp/hosts-foo >/etc/hosts echo "$new_ip_address gurney-gw.reilly.home gurney-gw" >>/etc/hosts echo "$new_routers gurney-router.reilly.home gurney-router" >>/etc/hosts echo "$new_domain_name_servers gurney-ns.reilly.home gurney-ns" >>/etc/ hosts rm /tmp/hosts-foo fi I dare say that this would work less well if you were using a local DNS. Maybe m4 (instead of cpp) is the right way to do it? -- Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message