From owner-freebsd-security@FreeBSD.ORG Mon May 12 13:04:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 848DF37B409 for ; Mon, 12 May 2003 13:04:45 -0700 (PDT) Received: from la-mail2.digilink.net (la2.digilink.net [205.147.0.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6B6243FD7 for ; Mon, 12 May 2003 13:04:44 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metrol@metrol.net (metrol@[205.147.16.59]) by la-mail2.digilink.net (8.12.9/8.12.9) with ESMTP id h4CK4hLR020253 for ; Mon, 12 May 2003 13:04:44 -0700 (PDT) From: Michael Collette To: FreeBSD Security Date: Mon, 12 May 2003 13:04:24 -0700 User-Agent: KMail/1.5.1 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305121304.24979.metrol@metrol.net> Subject: Re: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2003 20:04:45 -0000 On Saturday 10 May 2003 01:48 pm, Olivier Cherrier wrote: > > > Here is where we descend into Windows-bashing. For some STUPID > > > reason, when a Windows box connects to a VPN via PPTP, the Windows > > > box's default route is adjusted to go through the VPN connection. > > > This is fortunately fixable (Windows has a ROUTE command), but it > > > requires your users to have half a clue: > > > > > > route delete 0.0.0.0 > > > route add 0.0.0.0 mask 0.0.0.0 gateway metric 1 > > > route add [InsideNetwork] mask [InsideMask] gateway > > > > [far end of VPN > > > > > tunnel] metric 1 > > > > I cannot test this right now, so it is quite probable that you are > > right, but couldn't this be controlled by the Properties >> Networking > > > > >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >> > > >> Use default gateway on remote network? > > Yes, this checkbox allows to NOT route all the traffic to the > VPN server. No need of 'route delete, route add ...' scripts. I did this, and it does correct the immediate problem. Of course, it also creates a new glitchy. My mail server sits in the DMZ, which is of course on a different subnet than the secure network. I'm bringing in those outside users directly into the secure network, as they very definitely need resources from there. Without being able to configure routing from the secure network, those users can't route to the DMZ. In that DMZ I have pop3 and ldap restricted to internal use only, while SMTP is opened up wide. The problem compounds a bit when dealing with SMTP securities which is presently configured to restrict relaying to only those IPs that we own. So, the firewall prevents pop3 and ldap, while the mail server itself restricts the relaying. Unless the user is able to route to this server via the internal network this dog just don't hunt. Is there perhaps some part of this I'm missing? Thanks, -- "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx