Date: Fri, 26 Jul 2002 09:41:21 +0200 From: "Dennis Pedersen" <mlists@daydreamer.dk> To: "Archie Cobbs" <archie@dellroad.org> Cc: <freebsd-net@FreeBSD.ORG> Subject: Re: mpd & ipfw (keep denying port 1900/udp?!) Message-ID: <002201c23477$d5f9b6a0$0301a8c0@dpws> References: <200207260302.g6Q32fm93617@arch20m.dellroad.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Archie Cobbs" <archie@dellroad.org> To: "Dennis Pedersen" <mlists@daydreamer.dk> Cc: <freebsd-net@FreeBSD.ORG> Sent: Friday, July 26, 2002 5:02 AM Subject: Re: mpd & ipfw (keep denying port 1900/udp?!) > Dennis Pedersen writes: > > simply can get throug unless i flush my firewall rules. > > In the ipfw log i have the following entry (192.168.2.43 in the workstation > > on the inside of the fw i'm trying from and 2.88 in the internal interface > > in the fw) > > Jul 25 13:22:32 fw /kernel: ipfw: 900 Deny UDP 192.168.2.43:1067 > > 192.168.2.88:1900 in via xl0 > > Jul 25 13:22:57 fw /kernel: ipfw: 900 Deny UDP 192.168.2.43:1067 > > 192.168.2.88:1900 in via xl0 > > Jul 25 13:23:22 fw /kernel: ipfw: 900 Deny UDP 192.168.2.43:1067 > > 192.168.2.88:1900 in via xl0 > > > > I don't get it, where does the UDP packet enter the picture? , in the fw > > rules i have allow gre from any to any and pptp from any to any (i have one > > rule that allows pptp port as src and one as dst). > > What am i missing here about the udp port? > > Is it always the same port ? (then i can simply just allow 1900/udp, but if > > i changes all the time that wont help me much..) > > PPTP doesn't use UDP, so I have no idea what the UDP is from. > PPTP only uses TCP port 1723 and IP prototcol #47 (GRE). Hmm...Okai I have allow GRE and TCP/1723 (and with ipfw sh i can see the number of packets that has passed the rule is increasing), the wintendo box get to the user/passwd part and then it stops. On the mpd it seems like it keeps trying to send the config: [pptp] LCP: SendConfigReq #84 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 4e2e7d78 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 04 76 12 42 d8 [pptp] LCP: SendConfigReq #85 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 4e2e7d78 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 04 76 12 42 d8 I can't seem to find anything wrong with my ipfw rules. For testing i have add'et: tcp from any to any 1723 keep-state tcp from any 1723 to any keep-state gre from any to any I can see the packets on 1723 are getting allowed (2.23 is the box i am trying from and 213.237.14.128 is the box im trying to connect.): 00362 19 1852 (T 0, # 84) ty 0 tcp, 192.168.2.43 1348 <-> 213.237.14.128 1723 00362 19 1852 (T 0, # 86) ty 0 tcp, 192.168.2.43 1350 <-> 213.237.14.128 1723 00362 20 1892 (T 0, # 87) ty 0 tcp, 192.168.2.43 1351 <-> 213.237.14.128 1723 And the gre packets are getting allowed: 00851 128 7276 allow gre from 192.168.2.0/24 to 213.237.14.128 00854 72 5328 allow gre from 213.237.14.128 to <public ip of the nat box in the firm thats running the 2.0/24 net) What am i missing here? If i disable the fw totally everything works fine, ive done a tcpdump and can't seem to find anything i have overlooked. Regards, Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002201c23477$d5f9b6a0$0301a8c0>