Date: Mon, 25 Jun 2001 15:25:28 -0400 From: "John Lord" <lord@4jon.com> To: <freebsd-questions@freebsd.org> Subject: can get mpd (ptpp) to work firewall Message-ID: <9EB046F82A95DD4DAB74BF7FF4E48BA9778F@Server.studio.4jon.com>
next in thread | raw e-mail | index | archive | help
OK i got a freebsd 4.3 stable box running the mpd fromthe ports
collection Version 3.2. I have ipfilter running my firewall below is the
mpd log as i try to connect, after that is a log if i disable the
firewall and it connects but gives me 63.238.170.52 for the ip and i
have no clue as to where it is getting it from. so first off I need to
figure out what im my firewall settings are blocking the ptpp
connections and then why it wont give me an ip for inside my network.
anybody got a clue about any of this?
Multi-link PPP for FreeBSD, by Archie L. Cobbs.
Based on iij-ppp, by Toshiharu OHNO.
mpd: pid 378, version 3.2 (root@crispy.thewetlandsinc.com 21:55
20-Jun-2001)
[Pptp0] ppp node is "mpd378-Pptp0"
[Pptp0] using interface ng0
mpd: local IP address for PPTP is x.x.x.5
[Pptp0:Pptp0] mpd: PPTP connection from x.x.x.10:4926
pptp0: attached to connection with x.x.x.10:4926
[Pptp0] IFACE: Open event
[Pptp0] IPCP: Open event
[Pptp0] IPCP: state change Initial --> Starting
[Pptp0] IPCP: LayerStart
[Pptp0] IPCP: Open event
[Pptp0] bundle: OPEN event in state CLOSED
[Pptp0] opening link "Pptp0"...
[Pptp0] link: OPEN event
[Pptp0] LCP: Open event
[Pptp0] LCP: state change Initial --> Starting
[Pptp0] LCP: LayerStart
[Pptp0] device: OPEN event in state DOWN
[Pptp0] attaching to peer's outgoing call
[Pptp0] device is now in state OPENING
[Pptp0] device: UP event in state OPENING
[Pptp0] device is now in state UP
[Pptp0] link: UP event
[Pptp0] link: origination is remote
[Pptp0] LCP: Up event
[Pptp0] LCP: state change Starting --> Req-Sent
[Pptp0] LCP: phase shift DEAD --> ESTABLISH
[Pptp0] LCP: SendConfigReq #1
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM e43e9586
AUTHPROTO CHAP MSOFT
pptp0-0: ignoring SetLinkInfo
[Pptp0] LCP: SendConfigReq #2
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM e43e9586
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: SendConfigReq #3
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM e43e9586
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: SendConfigReq #4
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM e43e9586
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: SendConfigReq #5
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM e43e9586
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: SendConfigReq #6
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM e43e9586
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: SendConfigReq #7
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM e43e9586
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: SendConfigReq #8
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM e43e9586
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: SendConfigReq #9
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM e43e9586
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: SendConfigReq #10
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM e43e9586
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: state change Req-Sent --> Stopped
[Pptp0] LCP: LayerFinish
[Pptp0] LCP: parameter negotiation failed
[Pptp0] LCP: LayerFinish
[Pptp0] device: CLOSE event in state UP
pptp0-0: clearing call
pptp0-0: killing channel
[Pptp0] PPTP call terminated
[Pptp0] IFACE: Close event
[Pptp0] IPCP: Close event
[Pptp0] IPCP: state change Starting --> Initial
[Pptp0] IPCP: LayerFinish
[Pptp0] IFACE: Close event
pptp0: closing connection with x.x.x.10:4926
[Pptp0] IFACE: Close event
[Pptp0] device is now in state CLOSING
[Pptp0] bundle: CLOSE event in state OPENED
[Pptp0] closing link "Pptp0"...
[Pptp0] device: CLOSE event in state CLOSING
[Pptp0] device is now in state CLOSING
pptp0: invalid length 16 for type 4
pptp0: killing connection with x.x.x.10:4926
[Pptp0] link: CLOSE event
[Pptp0] LCP: Close event
[Pptp0] LCP: state change Stopped --> Closed
[Pptp0] device: DOWN event in state CLOSING
[Pptp0] device is now in state DOWN
[Pptp0] link: DOWN event
[Pptp0] LCP: Down event
[Pptp0] LCP: state change Closed --> Initial
[Pptp0] LCP: phase shift ESTABLISH --> DEAD
[Pptp0] device: DOWN event in state DOWN
[Pptp0] device is now in state DOWN
[Pptp0] link: DOWN event
[Pptp0] LCP: Down event
log from when it connects with firewall wide open
Multi-link PPP for FreeBSD, by Archie L. Cobbs.
Based on iij-ppp, by Toshiharu OHNO.
mpd: pid 439, version 3.2 (root@crispy.thewetlandsinc.com 21:55
20-Jun-2001)
[Pptp0] ppp node is "mpd439-Pptp0"
[Pptp0] using interface ng0
mpd: local IP address for PPTP is x.x.x.5
[Pptp0:Pptp0] mpd: PPTP connection from x.x.x.10:1064
pptp0: attached to connection with x.x.x.10:1064
[Pptp0] IFACE: Open event
[Pptp0] IPCP: Open event
[Pptp0] IPCP: state change Initial --> Starting
[Pptp0] IPCP: LayerStart
[Pptp0] IPCP: Open event
[Pptp0] bundle: OPEN event in state CLOSED
[Pptp0] opening link "Pptp0"...
[Pptp0] link: OPEN event
[Pptp0] LCP: Open event
[Pptp0] LCP: state change Initial --> Starting
[Pptp0] LCP: LayerStart
[Pptp0] device: OPEN event in state DOWN
[Pptp0] attaching to peer's outgoing call
[Pptp0] device is now in state OPENING
[Pptp0] device: UP event in state OPENING
[Pptp0] device is now in state UP
[Pptp0] link: UP event
[Pptp0] link: origination is remote
[Pptp0] LCP: Up event
[Pptp0] LCP: state change Starting --> Req-Sent
[Pptp0] LCP: phase shift DEAD --> ESTABLISH
[Pptp0] LCP: SendConfigReq #1
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM 14eff6b3
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: rec'd Configure Request #0 link 0 (Req-Sent)
MAGICNUM 5fbf582c
PROTOCOMP
ACFCOMP
CALLBACK
Not supported
MP MRRU 1614
ENDPOINTDISC [802.1] 00 10 4b 66 27 18
[Pptp0] LCP: SendConfigRej #0
CALLBACK
MP MRRU 1614
[Pptp0] LCP: rec'd Configure Request #1 link 0 (Req-Sent)
MAGICNUM 5fbf582c
PROTOCOMP
ACFCOMP
ENDPOINTDISC [802.1] 00 10 4b 66 27 18
[Pptp0] LCP: SendConfigAck #1
MAGICNUM 5fbf582c
PROTOCOMP
ACFCOMP
ENDPOINTDISC [802.1] 00 10 4b 66 27 18
[Pptp0] LCP: state change Req-Sent --> Ack-Sent
pptp0-0: ignoring SetLinkInfo
[Pptp0] LCP: SendConfigReq #2
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM 14eff6b3
AUTHPROTO CHAP MSOFT
pptp0-0: ignoring SetLinkInfo
[Pptp0] LCP: rec'd Configure Ack #2 link 0 (Ack-Sent)
ACFCOMP
PROTOCOMP
MRU 1500
MAGICNUM 14eff6b3
AUTHPROTO CHAP MSOFT
[Pptp0] LCP: state change Ack-Sent --> Opened
[Pptp0] LCP: phase shift ESTABLISH --> AUTHENTICATE
[Pptp0] LCP: auth: peer wants nothing, I want CHAP
[Pptp0] CHAP: sending CHALLENGE
[Pptp0] LCP: LayerUp
[Pptp0] LCP: rec'd Ident #2 link 0 (Opened)
MESG: MSRASV5.00
[Pptp0] LCP: rec'd Ident #3 link 0 (Opened)
MESG: MSRAS-0-DVMONSTER
[Pptp0] CHAP: rec'd RESPONSE #1
Name: "test"
Peer name: "test"
Response is valid
[Pptp0] CHAP: sending SUCCESS
[Pptp0] LCP: authorization successful
[Pptp0] LCP: phase shift AUTHENTICATE --> NETWORK
[Pptp0] up: 1 link, total bandwidth 64000 bps
[Pptp0] IPCP: Up event
[Pptp0] IPCP: state change Starting --> Req-Sent
[Pptp0] IPCP: SendConfigReq #1
IPADDR 192.168.1.100
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[Pptp0] CCP: Open event
[Pptp0] CCP: state change Initial --> Starting
[Pptp0] CCP: LayerStart
[Pptp0] CCP: Up event
[Pptp0] CCP: state change Starting --> Req-Sent
[Pptp0] CCP: SendConfigReq #1
MPPC
0x01000060: MPPE, 40 bit, 128 bit, stateless
[Pptp0] CCP: rec'd Configure Request #4 link 0 (Req-Sent)
MPPC
0x010000f1: MPPC MPPE, 40 bit, 128 bit, stateless
Bits 0x00000090 not supported
[Pptp0] CCP: SendConfigNak #4
MPPC
0x01000040: MPPE, 128 bit, stateless
[Pptp0] IPCP: rec'd Configure Request #5 link 0 (Req-Sent)
IPADDR 0.0.0.0
NAKing with 63.238.170.52
PRIDNS 0.0.0.0
NAKing with 192.168.1.1
PRINBNS 0.0.0.0
NAKing with 192.168.1.4
SECDNS 0.0.0.0
SECNBNS 0.0.0.0
[Pptp0] IPCP: SendConfigRej #5
SECDNS 0.0.0.0
SECNBNS 0.0.0.0
[Pptp0] IPCP: rec'd Configure Reject #1 link 0 (Req-Sent)
COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
[Pptp0] IPCP: SendConfigReq #2
IPADDR 192.168.1.100
[Pptp0] CCP: rec'd Configure Nak #1 link 0 (Req-Sent)
MPPC
0x01000040: MPPE, 128 bit, stateless
[Pptp0] CCP: SendConfigReq #2
MPPC
0x01000040: MPPE, 128 bit, stateless
[Pptp0] CCP: rec'd Configure Request #6 link 0 (Req-Sent)
MPPC
0x01000040: MPPE, 128 bit, stateless
[Pptp0] CCP: SendConfigAck #6
MPPC
0x01000040: MPPE, 128 bit, stateless
[Pptp0] CCP: state change Req-Sent --> Ack-Sent
[Pptp0] IPCP: rec'd Configure Request #7 link 0 (Req-Sent)
IPADDR 0.0.0.0
NAKing with 63.238.170.52
PRIDNS 0.0.0.0
NAKing with 192.168.1.1
PRINBNS 0.0.0.0
NAKing with 192.168.1.4
[Pptp0] IPCP: SendConfigNak #7
IPADDR 63.238.170.52
PRIDNS 192.168.1.1
PRINBNS 192.168.1.4
[Pptp0] IPCP: rec'd Configure Ack #2 link 0 (Req-Sent)
IPADDR 192.168.1.100
[Pptp0] IPCP: state change Req-Sent --> Ack-Rcvd
[Pptp0] CCP: rec'd Configure Ack #2 link 0 (Ack-Sent)
MPPC
0x01000040: MPPE, 128 bit, stateless
[Pptp0] CCP: state change Ack-Sent --> Opened
[Pptp0] CCP: LayerUp
Compress using: MPPE, 128 bit, stateless
Decompress using: MPPE, 128 bit, stateless
[Pptp0] IPCP: rec'd Configure Request #8 link 0 (Ack-Rcvd)
IPADDR 63.238.170.52
63.238.170.52 is OK
PRIDNS 192.168.1.1
PRINBNS 192.168.1.4
[Pptp0] IPCP: SendConfigAck #8
IPADDR 63.238.170.52
PRIDNS 192.168.1.1
PRINBNS 192.168.1.4
[Pptp0] IPCP: state change Ack-Rcvd --> Opened
[Pptp0] IPCP: LayerUp
192.168.1.100 -> 63.238.170.52
[Pptp0] IFACE: Up event
[Pptp0] exec: /sbin/ifconfig ng0 192.168.1.100 63.238.170.52 netmask
0xffffffff -link0
[Pptp0] no interface to proxy arp on for 63.238.170.52
[Pptp0] IFACE: Up event
mpd.conf
default:
load default-log
load client
client:
load Pptp0
=20
Pptp0:
new -i ng0 Pptp0 Pptp0
set iface disable on-demand
set iface enable proxy-arp
set iface idle 1800
set bundle disable multilink
set bundle authname test
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 10 60
set ipcp yes vjcomp
set ipcp ranges 192.168.1.100/32 192.168.1.102/32
set ipcp dns 192.168.1.1
set ipcp nbns 192.168.1.4
set bundle enable compression
set ccp yes mppc
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
default-log:
log +bund +link +chat +lcp +auth +fsm +phys +ipcp +ccp +pptp
mpd.links
Pptp0:
set link type pptp
set pptp self x.x.x.5
set pptp enable incoming
set pptp disable originate
set link enable chap
set link disable pap
set link enable acfcomp protocomp
set link keep-alive 10 75
set link enable no-orig-auth
ipf.rules
#################################################################
# Outside Interface=20
#################################################################
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in.
#----------------------------------------------------------------
pass out quick on xl0 proto tcp from any to any keep state=20
pass out quick on xl0 proto udp from any to any keep state
pass out quick on xl0 proto icmp from any to any keep state
pass out quick on xl0 proto gre from any to any
block out quick on xl0 all
#----------------------------------------------------------------
# Allow bootp traffic in from your ISP's DHCP server only.=20
# Replace X.X.X.X/32 with your ISP's DHCP server address.
#----------------------------------------------------------------
#pass in quick on ed0 proto udp from X.X.X.X/32 to any port =3D 68 keep
state
pass in quick on xl0 proto tcp from any to 192.168.1.4 port =3D 25 keep
state
pass in quick proto tcp from any to any port =3D 22 keep state keep =
frags
pass in quick proto tcp from any to any port =3D 47 keep state keep =
frags
pass in quick proto tcp from any to any port =3D 1723 keep state keep
frags
#----------------------------------------------------------------
# Block and log all remaining traffic coming into the firewall
# - Block TCP with a RST (to make it appear as if the service=20
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear=20
# as if the service isn't listening)
# - Block all remaining traffic the good 'ol fashioned way
#----------------------------------------------------------------
block return-rst in log quick on xl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from
any to any
block in log quick on xl0 all
#################################################################
# Inside Interface
#################################################################
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------=20
pass out quick on xl1 proto tcp from any to any keep state=20
pass out quick on xl1 proto udp from any to any keep state=20
pass out quick on xl1 proto icmp from any to any keep state=20
block out quick on xl1 all=20
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass out quick on xl2 proto tcp from any to any keep state=20
pass out quick on xl2 proto udp from any to any keep state
pass out quick on xl2 proto icmp from any to any keep state
block out quick on xl2 all
#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state=20
#----------------------------------------------------------------=20
pass in quick on xl1 proto tcp from any to any keep state=20
pass in quick on xl1 proto udp from any to any keep state
pass in quick on xl1 proto icmp from any to any keep state
block in quick on xl1 all=20
#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass in quick on xl2 proto tcp from any to any keep state=20
pass in quick on xl2 proto udp from any to any keep state
pass in quick on xl2 proto icmp from any to any keep state
block in quick on xl2 all
ipnat.rules
map xl0 192.168.1.0/24 -> x.x.x.5/32 proxy port 21 ftp/tcp
map xl0 192.168.1.0/24 -> x.x.x.5/32 proxy port 1501 ftp/tcp
map xl0 192.168.2.0/24 -> x.x.x.5/32 proxy port 21 ftp/tcp
map xl0 192.168.1.0/24 -> x.x.x.5/32 portmap tcp/udp 40000:60000
map xl0 192.168.2.0/24 -> x.x.x.5/32 portmap tcp/udp 40000:60000=20
rdr xl0 0.0.0.0/0 port 25 -> 192.168.1.4 port 25 tcp
map xl0 192.168.1.0/24 -> x.x.x.5/32
map xl0 192.168.2.0/24 -> x.x.x.5/32
John Lord(jlord@4jon.com)
Network Administrator
Studio for Publications Inc
410-723-7089 Office
pageme@4jon.com Pager
www.4jon.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9EB046F82A95DD4DAB74BF7FF4E48BA9778F>