From owner-freebsd-questions  Wed Jul 25  0:50:18 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from wombat.bytecraft.au.com (wombat.bytecraft.au.com [203.39.118.3])
	by hub.freebsd.org (Postfix) with ESMTP id EC32137B406
	for <freebsd-questions@freebsd.org>; Wed, 25 Jul 2001 00:50:07 -0700 (PDT)
	(envelope-from taylorm@bytecraftsystems.com)
Received: from pc99101401.bytecraft.au.com (unknown [203.39.118.42])
	by wombat.bytecraft.au.com (Postfix) with SMTP
	id 4013B3E9F; Wed, 25 Jul 2001 17:50:05 +1000 (EST)
Message-ID: <01d501c114de$acea0e40$2a7627cb@bytecraft.au.com>
From: "MurrayTaylor" <taylorm@bytecraftsystems.com>
To: "Jim Durham" <durham@w2xo.pgh.pa.us>
Cc: <freebsd-questions@freebsd.org>
References: <Pine.BSF.4.33.0107071315120.1255-100000@jimslaptop.jcdurham.com>
Subject: MPD vpn and firewalls
Date: Wed, 25 Jul 2001 17:51:55 +1000
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Jim,

You have mentioned previously that you are using MPD..

I have established MPD myself, based on the sample configuration, and it
seems to go ok
 .... but I have a few questions.

My network config works out as follows ...

(Frame Relay)                      (Firewall)  (mpd)   (Firewall)
<-------------->| sr0|ng0|<----|ipfw|----|ng1|----|ipfw|---> lan
   frame pkts                         gre pkts              'real data'

As the data passes through the firewall twice (once as the GRE
encapsulation,
and once as the 'real' data), what rule systems do you use for the ng1 <=>
lan part

I am currently using

00530 allow ip from x.y.z.70 to x.y.z.0/25 via ng1
00535 allow udp from x.y.z.0/25 to x.y.z.70 via ng1
00540 allow udp from x.y.x.70 137-139 to x.y.z.255 via ng1
00545 allow icmp from any to any via ng1
00546 allow igmp from any to any via ng1

However I have 2 VPNs setup in my mpd config file, and the samples suggest
that
I could/should use the same remote address for both (x.y.z.70/32 in my case)
I have different local addresses defined  (x.y.z.65/32 for ng1 and
x.y.z.66/32 for ng2)

If I copy the above ruleset for ng2, would this not cause problems as the
copied rules
would point to x.y.z.70 on both ng1 and ng2?

What solution/ruleset would you (or any other takers) suggest?

cheers
Murray Taylor



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message