From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 15 07:29:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9515237B401 for ; Tue, 15 Apr 2003 07:29:15 -0700 (PDT) Received: from uwa.unitedway.org (msmail.unitedway.org [208.253.57.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5521A43FAF for ; Tue, 15 Apr 2003 07:29:14 -0700 (PDT) (envelope-from Johnny.Dang@uwa.unitedway.org) Received: by msmail.unitedway.org with Internet Mail Service (5.5.2653.19) id ; Tue, 15 Apr 2003 10:29:08 -0400 Message-ID: <4353ECE13C553F46B95EA6A1EFC82BEF01C3EA20@msmail.unitedway.org> From: "Dang.Johnny" To: "'Belov V.'" , freebsd-ipfw@freebsd.org Date: Tue, 15 Apr 2003 10:29:02 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C3035B.5C5B4B20" Subject: RE: allow vpn clients to connect to internal vpn server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 14:29:16 -0000 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C3035B.5C5B4B20 Content-Type: text/plain You will also need the gre protocol. Also on the WAN side you will need to allow both in and out of tcp 1723 and gre. I hope this help. JD -----Original Message----- From: Belov V. [mailto:vit@volia.com] Sent: Tuesday, April 15, 2003 8:54 AM To: freebsd-ipfw@freebsd.org Subject: allow vpn clients to connect to internal vpn server Hi My privat net is 192.168.0.0/24 and has Win VPN server in it. Natd has redirection: redirect_port tcp 192.168.0.1:1723 1723 What should be added to allow external vpn clients to connect to my internal vpn server? My current BSD router has the following ipfw rules: add allow ip from any to any via lo0 add deny all from any to 127.0.0.0/8 add deny all from 127.0.0.0/8 to any add deny all from 192.168.0.0/24 to any in recv de0 add deny all from any to 10.0.0.0/8 via de0 add deny all from any to 172.16.0.0/12 via de0 add deny all from any to 192.168.0.0/16 via de0 add deny all from any to 0.0.0.0/8 via de0 add deny all from any to 169.254.0.0/16 via de0 add deny all from any to 192.0.2.0/24 via de0 add deny all from any to 224.0.0.0/4 via de0 add deny all from any to 240.0.0.0/4 via de0 add deny tcp from any to any 137-139 via de0 add deny tcp from any to any 137-139 via de0 add fwd 192.168.0.10,3128 tcp from 192.168.0.0/24 to any 80 add divert 8668 all from any to any via de0 add pass tcp from any to any established add pass ip from any to any frag add pass tcp from any to ip_of_external_interface 25 setup add pass tcp from any to any 1723 setup add pass tcp from any to any 4899 setup add pass tcp from any to ip_of_external_interface 53 setup add pass udp from any to ip_of_external_interface 53 add pass udp from ip_of_external_interface 53 to any add deny log tcp from any to any in via de0 setup add pass tcp from any to any setup add pass udp from any to any 53 keep-state _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" ------_=_NextPart_000_01C3035B.5C5B4B20 Content-Type: application/octet-stream; name="Dang, Johnny (johnny.dang@johnnydang.net).vcf" Content-Disposition: attachment; filename="Dang, Johnny (johnny.dang@johnnydang.net).vcf" BEGIN:VCARD VERSION:2.1 N:Dang;Johnny FN:Johnny Dang (johnny.dang@johnnydang.net) TITLE:Senior Network Engineer TEL;WORK;VOICE:(703) 836-7122 #405 TEL;HOME;VOICE:(301) 439-3097 TEL;CELL;VOICE:(301) 332-8667 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;9304 Piney Branch Road =0D=0A#105;Silver Spring;MD;20903;United States of = America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:9304 Piney Branch Road =0D=0A#105=0D=0ASilver Spring, MD 20903=0D=0AUnited S= tates of America URL;WORK:http://www.johnnydang.net EMAIL;PREF;INTERNET:johnny.dang@johnnydang.net REV:20030228T135749Z END:VCARD ------_=_NextPart_000_01C3035B.5C5B4B20--