From owner-freebsd-net Fri Jul 26 0:51:41 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1C2737B408 for ; Fri, 26 Jul 2002 00:51:34 -0700 (PDT) Received: from daydreamer.dk (213.237.14.128.adsl.ho.worldonline.dk [213.237.14.128]) by mx1.FreeBSD.org (Postfix) with SMTP id B323943E4A for ; Fri, 26 Jul 2002 00:51:10 -0700 (PDT) (envelope-from mlists@daydreamer.dk) Received: (qmail 7082 invoked from network); 26 Jul 2002 07:42:21 -0000 Received: from unknown (HELO dpws) (192.168.1.3) by 192.168.1.25 with SMTP; 26 Jul 2002 07:42:21 -0000 Message-ID: <002201c23477$d5f9b6a0$0301a8c0@dpws> From: "Dennis Pedersen" To: "Archie Cobbs" Cc: References: <200207260302.g6Q32fm93617@arch20m.dellroad.org> Subject: Re: mpd & ipfw (keep denying port 1900/udp?!) Date: Fri, 26 Jul 2002 09:41:21 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Archie Cobbs" To: "Dennis Pedersen" Cc: Sent: Friday, July 26, 2002 5:02 AM Subject: Re: mpd & ipfw (keep denying port 1900/udp?!) > Dennis Pedersen writes: > > simply can get throug unless i flush my firewall rules. > > In the ipfw log i have the following entry (192.168.2.43 in the workstation > > on the inside of the fw i'm trying from and 2.88 in the internal interface > > in the fw) > > Jul 25 13:22:32 fw /kernel: ipfw: 900 Deny UDP 192.168.2.43:1067 > > 192.168.2.88:1900 in via xl0 > > Jul 25 13:22:57 fw /kernel: ipfw: 900 Deny UDP 192.168.2.43:1067 > > 192.168.2.88:1900 in via xl0 > > Jul 25 13:23:22 fw /kernel: ipfw: 900 Deny UDP 192.168.2.43:1067 > > 192.168.2.88:1900 in via xl0 > > > > I don't get it, where does the UDP packet enter the picture? , in the fw > > rules i have allow gre from any to any and pptp from any to any (i have one > > rule that allows pptp port as src and one as dst). > > What am i missing here about the udp port? > > Is it always the same port ? (then i can simply just allow 1900/udp, but if > > i changes all the time that wont help me much..) > > PPTP doesn't use UDP, so I have no idea what the UDP is from. > PPTP only uses TCP port 1723 and IP prototcol #47 (GRE). Hmm...Okai I have allow GRE and TCP/1723 (and with ipfw sh i can see the number of packets that has passed the rule is increasing), the wintendo box get to the user/passwd part and then it stops. On the mpd it seems like it keeps trying to send the config: [pptp] LCP: SendConfigReq #84 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 4e2e7d78 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 04 76 12 42 d8 [pptp] LCP: SendConfigReq #85 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 4e2e7d78 AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 04 76 12 42 d8 I can't seem to find anything wrong with my ipfw rules. For testing i have add'et: tcp from any to any 1723 keep-state tcp from any 1723 to any keep-state gre from any to any I can see the packets on 1723 are getting allowed (2.23 is the box i am trying from and 213.237.14.128 is the box im trying to connect.): 00362 19 1852 (T 0, # 84) ty 0 tcp, 192.168.2.43 1348 <-> 213.237.14.128 1723 00362 19 1852 (T 0, # 86) ty 0 tcp, 192.168.2.43 1350 <-> 213.237.14.128 1723 00362 20 1892 (T 0, # 87) ty 0 tcp, 192.168.2.43 1351 <-> 213.237.14.128 1723 And the gre packets are getting allowed: 00851 128 7276 allow gre from 192.168.2.0/24 to 213.237.14.128 00854 72 5328 allow gre from 213.237.14.128 to