Date: Wed, 16 Apr 2003 00:58:52 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: "Belov V." <vit@volia.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: allow vpn clients to connect to internal vpn server Message-ID: <20030415215852.GA57610@sunbay.com> In-Reply-To: <1050411211.383975@smtp.top.net.ua> References: <1050411211.383975@smtp.top.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
--OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 15, 2003 at 03:53:30PM +0300, Belov V. wrote: > Hi > My privat net is 192.168.0.0/24 and has Win VPN server in it. > Natd has redirection: redirect_port tcp 192.168.0.1:1723 1723 > What should be added to allow external vpn clients to connect to my inter= nal > vpn server? >=20 > My current BSD router has the following ipfw rules: >=20 > add allow ip from any to any via lo0 > add deny all from any to 127.0.0.0/8 > add deny all from 127.0.0.0/8 to any > add deny all from 192.168.0.0/24 to any in recv de0 > add deny all from any to 10.0.0.0/8 via de0 > add deny all from any to 172.16.0.0/12 via de0 > add deny all from any to 192.168.0.0/16 via de0 > add deny all from any to 0.0.0.0/8 via de0 > add deny all from any to 169.254.0.0/16 via de0 > add deny all from any to 192.0.2.0/24 via de0 > add deny all from any to 224.0.0.0/4 via de0 > add deny all from any to 240.0.0.0/4 via de0 > add deny tcp from any to any 137-139 via de0 > add deny tcp from any to any 137-139 via de0 > add fwd 192.168.0.10,3128 tcp from 192.168.0.0/24 to any 80 > add divert 8668 all from any to any via de0 > add pass tcp from any to any established > add pass ip from any to any frag > add pass tcp from any to ip_of_external_interface 25 setup > add pass tcp from any to any 1723 setup > add pass tcp from any to any 4899 setup > add pass tcp from any to ip_of_external_interface 53 setup > add pass udp from any to ip_of_external_interface 53 > add pass udp from ip_of_external_interface 53 to any > add deny log tcp from any to any in via de0 setup > add pass tcp from any to any setup > add pass udp from any to any 53 keep-state >=20 With the default ``allow ip from any to any'' it was enough to redirect only TCP port 1723 to an internal machine: : src/lib/libalias/alias_pptp.c revision 1.4 : date: 2000/10/30 12:39:41; author: ru; state: Exp; lines: +129 -53 : A significant rewrite of PPTP aliasing code. :=20 : PPTP links are no longer dropped by simple (and inappropriate in this : case) "inactivity timeout" procedure, only when requested through the : control connection. :=20 : It is now possible to have multiple PPTP servers running behind NAT. : Just redirect the incoming TCP traffic to port 1723, everything else : is done transparently. :=20 : Problems were reported and the fix was tested by: : Michael Adler <Michael.Adler@compaq.com>, : David Andersen <dga@lcs.mit.edu> If your default rule is ``deny ip from any to any'', you should also allow for the protocol ``gre'' traffic. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+nICcUkv4P6juNwoRAmZ2AJ9IzKEqUIRRGsBPiUha+Ri4TnFUbACeLHCD 8/VPLCbllDDGaXTQDJd0n/4= =4VSu -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030415215852.GA57610>