Date: Tue, 26 Jun 2001 12:06:24 -0400 (EDT) From: Joe Clarke <marcus@marcuscom.com> To: John Lord <lord@4jon.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: RE: can get mpd (ptpp) to work firewall Message-ID: <20010626120112.H20511-100000@shumai.marcuscom.com> In-Reply-To: <9EB046F82A95DD4DAB74BF7FF4E48BA97790@Server.studio.4jon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm running ipfw. I permit through
ipfw add pass log tcp from any to any 1723 in recv ${oif} setup
ipfw add pass log gre from any to any via ${oif}
That works for me. I also run natd with the -u flag so that it only
translates RFC1918 addresses.
Joe Clarke
On Tue, 26 Jun 2001, John Lord wrote:
> it does connect if I turn off my firewall, so I guessing a have some
> rule in ipfilter that needs to be changed , if i add pass in quick from
> any to any it lets me connect but i still cant ping the box at its
> internal ip 192.168.1.1. are you running ipfilter on your box also? I
> must be over looking something simple
>
> out side nic
>
> pass out quick on xl0 proto tcp from any to any keep state
> pass out quick on xl0 proto udp from any to any keep state
> pass out quick on xl0 proto icmp from any to any keep state
> pass out quick on xl0 proto gre from any to any
> block out quick on xl0 all
>
>
> pass in quick on xl0 proto tcp from any to 192.168.1.4 port = 25 keep
> state
> pass in quick proto tcp from any to any port = 22 keep state keep frags
> pass in quick proto tcp from any to any port = 47 keep state keep frags
> pass in quick proto tcp from any to any port = 1723 keep state keep
> frags
> block return-rst in log quick on xl0 proto tcp from any to any
> block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from
> any to any
> block in log quick on xl0 all
>
> inside nic 192.168.1.1
>
> pass out quick on xl1 proto tcp from any to any keep state
> pass out quick on xl1 proto udp from any to any keep state
> pass out quick on xl1 proto icmp from any to any keep state
> block out quick on xl1 all
> pass in quick on xl1 proto tcp from any to any keep state
> pass in quick on xl1 proto udp from any to any keep state
> pass in quick on xl1 proto icmp from any to any keep state
> block in quick on xl1 all
>
>
> John Lord(jlord@4jon.com)
> Network Administrator
> Studio for Publications Inc
> 410-723-7089 Office
> pageme@4jon.com Pager
> www.4jon.com
>
>
>
> -----Original Message-----
> From: Joe Clarke [mailto:marcus@marcuscom.com]
> Sent: Monday, June 25, 2001 10:05 PM
> To: John Lord
> Cc: freebsd-questions@FreeBSD.ORG
> Subject: Re: can get mpd (ptpp) to work firewall
>
>
> I think I see your problem. It looks like you're trying to do MS CHAP,
> but you might not have compiled mpd with libdes present. If this is the
> case, you won't be able to do MS CHAP. You should install the crypto
> distribution from sysinstall, then recompile mpd.
>
> I have this setup working for 95, 98, and 2000 boxes. If you need
> further
> help with mpd, and those clients, let me know.
>
> Joe Clarke
>
> On Mon, 25 Jun 2001, John Lord wrote:
>
> > OK i got a freebsd 4.3 stable box running the mpd fromthe ports
> > collection Version 3.2. I have ipfilter running my firewall below is
> the
> > mpd log as i try to connect, after that is a log if i disable the
> > firewall and it connects but gives me 63.238.170.52 for the ip and i
> > have no clue as to where it is getting it from. so first off I need to
> > figure out what im my firewall settings are blocking the ptpp
> > connections and then why it wont give me an ip for inside my network.
> > anybody got a clue about any of this?
> >
> > Multi-link PPP for FreeBSD, by Archie L. Cobbs.
> > Based on iij-ppp, by Toshiharu OHNO.
> > mpd: pid 378, version 3.2 (root@crispy.thewetlandsinc.com 21:55
> > 20-Jun-2001)
> > [Pptp0] ppp node is "mpd378-Pptp0"
> > [Pptp0] using interface ng0
> > mpd: local IP address for PPTP is x.x.x.5
> > [Pptp0:Pptp0] mpd: PPTP connection from x.x.x.10:4926
> > pptp0: attached to connection with x.x.x.10:4926
> > [Pptp0] IFACE: Open event
> > [Pptp0] IPCP: Open event
> > [Pptp0] IPCP: state change Initial --> Starting
> > [Pptp0] IPCP: LayerStart
> > [Pptp0] IPCP: Open event
> > [Pptp0] bundle: OPEN event in state CLOSED
> > [Pptp0] opening link "Pptp0"...
> > [Pptp0] link: OPEN event
> > [Pptp0] LCP: Open event
> > [Pptp0] LCP: state change Initial --> Starting
> > [Pptp0] LCP: LayerStart
> > [Pptp0] device: OPEN event in state DOWN
> > [Pptp0] attaching to peer's outgoing call
> > [Pptp0] device is now in state OPENING
> > [Pptp0] device: UP event in state OPENING
> > [Pptp0] device is now in state UP
> > [Pptp0] link: UP event
> > [Pptp0] link: origination is remote
> > [Pptp0] LCP: Up event
> > [Pptp0] LCP: state change Starting --> Req-Sent
> > [Pptp0] LCP: phase shift DEAD --> ESTABLISH
> > [Pptp0] LCP: SendConfigReq #1
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM e43e9586
> > AUTHPROTO CHAP MSOFT
> > pptp0-0: ignoring SetLinkInfo
> > [Pptp0] LCP: SendConfigReq #2
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM e43e9586
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: SendConfigReq #3
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM e43e9586
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: SendConfigReq #4
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM e43e9586
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: SendConfigReq #5
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM e43e9586
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: SendConfigReq #6
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM e43e9586
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: SendConfigReq #7
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM e43e9586
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: SendConfigReq #8
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM e43e9586
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: SendConfigReq #9
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM e43e9586
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: SendConfigReq #10
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM e43e9586
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: state change Req-Sent --> Stopped
> > [Pptp0] LCP: LayerFinish
> > [Pptp0] LCP: parameter negotiation failed
> > [Pptp0] LCP: LayerFinish
> > [Pptp0] device: CLOSE event in state UP
> > pptp0-0: clearing call
> > pptp0-0: killing channel
> > [Pptp0] PPTP call terminated
> > [Pptp0] IFACE: Close event
> > [Pptp0] IPCP: Close event
> > [Pptp0] IPCP: state change Starting --> Initial
> > [Pptp0] IPCP: LayerFinish
> > [Pptp0] IFACE: Close event
> > pptp0: closing connection with x.x.x.10:4926
> > [Pptp0] IFACE: Close event
> > [Pptp0] device is now in state CLOSING
> > [Pptp0] bundle: CLOSE event in state OPENED
> > [Pptp0] closing link "Pptp0"...
> > [Pptp0] device: CLOSE event in state CLOSING
> > [Pptp0] device is now in state CLOSING
> > pptp0: invalid length 16 for type 4
> > pptp0: killing connection with x.x.x.10:4926
> > [Pptp0] link: CLOSE event
> > [Pptp0] LCP: Close event
> > [Pptp0] LCP: state change Stopped --> Closed
> > [Pptp0] device: DOWN event in state CLOSING
> > [Pptp0] device is now in state DOWN
> > [Pptp0] link: DOWN event
> > [Pptp0] LCP: Down event
> > [Pptp0] LCP: state change Closed --> Initial
> > [Pptp0] LCP: phase shift ESTABLISH --> DEAD
> > [Pptp0] device: DOWN event in state DOWN
> > [Pptp0] device is now in state DOWN
> > [Pptp0] link: DOWN event
> > [Pptp0] LCP: Down event
> >
> >
> > log from when it connects with firewall wide open
> >
> > Multi-link PPP for FreeBSD, by Archie L. Cobbs.
> > Based on iij-ppp, by Toshiharu OHNO.
> > mpd: pid 439, version 3.2 (root@crispy.thewetlandsinc.com 21:55
> > 20-Jun-2001)
> > [Pptp0] ppp node is "mpd439-Pptp0"
> > [Pptp0] using interface ng0
> > mpd: local IP address for PPTP is x.x.x.5
> > [Pptp0:Pptp0] mpd: PPTP connection from x.x.x.10:1064
> > pptp0: attached to connection with x.x.x.10:1064
> > [Pptp0] IFACE: Open event
> > [Pptp0] IPCP: Open event
> > [Pptp0] IPCP: state change Initial --> Starting
> > [Pptp0] IPCP: LayerStart
> > [Pptp0] IPCP: Open event
> > [Pptp0] bundle: OPEN event in state CLOSED
> > [Pptp0] opening link "Pptp0"...
> > [Pptp0] link: OPEN event
> > [Pptp0] LCP: Open event
> > [Pptp0] LCP: state change Initial --> Starting
> > [Pptp0] LCP: LayerStart
> > [Pptp0] device: OPEN event in state DOWN
> > [Pptp0] attaching to peer's outgoing call
> > [Pptp0] device is now in state OPENING
> > [Pptp0] device: UP event in state OPENING
> > [Pptp0] device is now in state UP
> > [Pptp0] link: UP event
> > [Pptp0] link: origination is remote
> > [Pptp0] LCP: Up event
> > [Pptp0] LCP: state change Starting --> Req-Sent
> > [Pptp0] LCP: phase shift DEAD --> ESTABLISH
> > [Pptp0] LCP: SendConfigReq #1
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM 14eff6b3
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: rec'd Configure Request #0 link 0 (Req-Sent)
> > MAGICNUM 5fbf582c
> > PROTOCOMP
> > ACFCOMP
> > CALLBACK
> > Not supported
> > MP MRRU 1614
> > ENDPOINTDISC [802.1] 00 10 4b 66 27 18
> > [Pptp0] LCP: SendConfigRej #0
> > CALLBACK
> > MP MRRU 1614
> > [Pptp0] LCP: rec'd Configure Request #1 link 0 (Req-Sent)
> > MAGICNUM 5fbf582c
> > PROTOCOMP
> > ACFCOMP
> > ENDPOINTDISC [802.1] 00 10 4b 66 27 18
> > [Pptp0] LCP: SendConfigAck #1
> > MAGICNUM 5fbf582c
> > PROTOCOMP
> > ACFCOMP
> > ENDPOINTDISC [802.1] 00 10 4b 66 27 18
> > [Pptp0] LCP: state change Req-Sent --> Ack-Sent
> > pptp0-0: ignoring SetLinkInfo
> > [Pptp0] LCP: SendConfigReq #2
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM 14eff6b3
> > AUTHPROTO CHAP MSOFT
> > pptp0-0: ignoring SetLinkInfo
> > [Pptp0] LCP: rec'd Configure Ack #2 link 0 (Ack-Sent)
> > ACFCOMP
> > PROTOCOMP
> > MRU 1500
> > MAGICNUM 14eff6b3
> > AUTHPROTO CHAP MSOFT
> > [Pptp0] LCP: state change Ack-Sent --> Opened
> > [Pptp0] LCP: phase shift ESTABLISH --> AUTHENTICATE
> > [Pptp0] LCP: auth: peer wants nothing, I want CHAP
> > [Pptp0] CHAP: sending CHALLENGE
> > [Pptp0] LCP: LayerUp
> > [Pptp0] LCP: rec'd Ident #2 link 0 (Opened)
> > MESG: MSRASV5.00
> > [Pptp0] LCP: rec'd Ident #3 link 0 (Opened)
> > MESG: MSRAS-0-DVMONSTER
> > [Pptp0] CHAP: rec'd RESPONSE #1
> > Name: "test"
> > Peer name: "test"
> > Response is valid
> > [Pptp0] CHAP: sending SUCCESS
> > [Pptp0] LCP: authorization successful
> > [Pptp0] LCP: phase shift AUTHENTICATE --> NETWORK
> > [Pptp0] up: 1 link, total bandwidth 64000 bps
> > [Pptp0] IPCP: Up event
> > [Pptp0] IPCP: state change Starting --> Req-Sent
> > [Pptp0] IPCP: SendConfigReq #1
> > IPADDR 192.168.1.100
> > COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
> > [Pptp0] CCP: Open event
> > [Pptp0] CCP: state change Initial --> Starting
> > [Pptp0] CCP: LayerStart
> > [Pptp0] CCP: Up event
> > [Pptp0] CCP: state change Starting --> Req-Sent
> > [Pptp0] CCP: SendConfigReq #1
> > MPPC
> > 0x01000060: MPPE, 40 bit, 128 bit, stateless
> > [Pptp0] CCP: rec'd Configure Request #4 link 0 (Req-Sent)
> > MPPC
> > 0x010000f1: MPPC MPPE, 40 bit, 128 bit, stateless
> > Bits 0x00000090 not supported
> > [Pptp0] CCP: SendConfigNak #4
> > MPPC
> > 0x01000040: MPPE, 128 bit, stateless
> > [Pptp0] IPCP: rec'd Configure Request #5 link 0 (Req-Sent)
> > IPADDR 0.0.0.0
> > NAKing with 63.238.170.52
> > PRIDNS 0.0.0.0
> > NAKing with 192.168.1.1
> > PRINBNS 0.0.0.0
> > NAKing with 192.168.1.4
> > SECDNS 0.0.0.0
> > SECNBNS 0.0.0.0
> > [Pptp0] IPCP: SendConfigRej #5
> > SECDNS 0.0.0.0
> > SECNBNS 0.0.0.0
> > [Pptp0] IPCP: rec'd Configure Reject #1 link 0 (Req-Sent)
> > COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
> > [Pptp0] IPCP: SendConfigReq #2
> > IPADDR 192.168.1.100
> > [Pptp0] CCP: rec'd Configure Nak #1 link 0 (Req-Sent)
> > MPPC
> > 0x01000040: MPPE, 128 bit, stateless
> > [Pptp0] CCP: SendConfigReq #2
> > MPPC
> > 0x01000040: MPPE, 128 bit, stateless
> > [Pptp0] CCP: rec'd Configure Request #6 link 0 (Req-Sent)
> > MPPC
> > 0x01000040: MPPE, 128 bit, stateless
> > [Pptp0] CCP: SendConfigAck #6
> > MPPC
> > 0x01000040: MPPE, 128 bit, stateless
> > [Pptp0] CCP: state change Req-Sent --> Ack-Sent
> > [Pptp0] IPCP: rec'd Configure Request #7 link 0 (Req-Sent)
> > IPADDR 0.0.0.0
> > NAKing with 63.238.170.52
> > PRIDNS 0.0.0.0
> > NAKing with 192.168.1.1
> > PRINBNS 0.0.0.0
> > NAKing with 192.168.1.4
> > [Pptp0] IPCP: SendConfigNak #7
> > IPADDR 63.238.170.52
> > PRIDNS 192.168.1.1
> > PRINBNS 192.168.1.4
> > [Pptp0] IPCP: rec'd Configure Ack #2 link 0 (Req-Sent)
> > IPADDR 192.168.1.100
> > [Pptp0] IPCP: state change Req-Sent --> Ack-Rcvd
> > [Pptp0] CCP: rec'd Configure Ack #2 link 0 (Ack-Sent)
> > MPPC
> > 0x01000040: MPPE, 128 bit, stateless
> > [Pptp0] CCP: state change Ack-Sent --> Opened
> > [Pptp0] CCP: LayerUp
> > Compress using: MPPE, 128 bit, stateless
> > Decompress using: MPPE, 128 bit, stateless
> > [Pptp0] IPCP: rec'd Configure Request #8 link 0 (Ack-Rcvd)
> > IPADDR 63.238.170.52
> > 63.238.170.52 is OK
> > PRIDNS 192.168.1.1
> > PRINBNS 192.168.1.4
> > [Pptp0] IPCP: SendConfigAck #8
> > IPADDR 63.238.170.52
> > PRIDNS 192.168.1.1
> > PRINBNS 192.168.1.4
> > [Pptp0] IPCP: state change Ack-Rcvd --> Opened
> > [Pptp0] IPCP: LayerUp
> > 192.168.1.100 -> 63.238.170.52
> > [Pptp0] IFACE: Up event
> > [Pptp0] exec: /sbin/ifconfig ng0 192.168.1.100 63.238.170.52 netmask
> > 0xffffffff -link0
> > [Pptp0] no interface to proxy arp on for 63.238.170.52
> > [Pptp0] IFACE: Up event
> >
> >
> > mpd.conf
> >
> > default:
> > load default-log
> > load client
> >
> >
> > client:
> > load Pptp0
> >
> >
> > Pptp0:
> >
> > new -i ng0 Pptp0 Pptp0
> > set iface disable on-demand
> > set iface enable proxy-arp
> > set iface idle 1800
> > set bundle disable multilink
> > set bundle authname test
> > set link yes acfcomp protocomp
> > set link no pap chap
> > set link enable chap
> > set link keep-alive 10 60
> > set ipcp yes vjcomp
> > set ipcp ranges 192.168.1.100/32 192.168.1.102/32
> > set ipcp dns 192.168.1.1
> > set ipcp nbns 192.168.1.4
> > set bundle enable compression
> > set ccp yes mppc
> > set ccp yes mpp-e40
> > set ccp yes mpp-e128
> > set ccp yes mpp-stateless
> >
> >
> >
> >
> > default-log:
> > log +bund +link +chat +lcp +auth +fsm +phys +ipcp +ccp +pptp
> >
> > mpd.links
> >
> > Pptp0:
> > set link type pptp
> > set pptp self x.x.x.5
> > set pptp enable incoming
> > set pptp disable originate
> > set link enable chap
> > set link disable pap
> > set link enable acfcomp protocomp
> > set link keep-alive 10 75
> > set link enable no-orig-auth
> >
> > ipf.rules
> >
> > #################################################################
> > # Outside Interface
> > #################################################################
> >
> > #----------------------------------------------------------------
> > # Allow out all TCP, UDP, and ICMP traffic & keep state on it
> > # so that it's allowed back in.
> > #----------------------------------------------------------------
> > pass out quick on xl0 proto tcp from any to any keep state
> > pass out quick on xl0 proto udp from any to any keep state
> > pass out quick on xl0 proto icmp from any to any keep state
> > pass out quick on xl0 proto gre from any to any
> > block out quick on xl0 all
> >
> > #----------------------------------------------------------------
> > # Allow bootp traffic in from your ISP's DHCP server only.
> > # Replace X.X.X.X/32 with your ISP's DHCP server address.
> > #----------------------------------------------------------------
> > #pass in quick on ed0 proto udp from X.X.X.X/32 to any port = 68 keep
> > state
> > pass in quick on xl0 proto tcp from any to 192.168.1.4 port = 25 keep
> > state
> > pass in quick proto tcp from any to any port = 22 keep state keep
> frags
> > pass in quick proto tcp from any to any port = 47 keep state keep
> frags
> > pass in quick proto tcp from any to any port = 1723 keep state keep
> > frags
> > #----------------------------------------------------------------
> > # Block and log all remaining traffic coming into the firewall
> > # - Block TCP with a RST (to make it appear as if the service
> > # isn't listening)
> > # - Block UDP with an ICMP Port Unreachable (to make it appear
> > # as if the service isn't listening)
> > # - Block all remaining traffic the good 'ol fashioned way
> > #----------------------------------------------------------------
> > block return-rst in log quick on xl0 proto tcp from any to any
> > block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from
> > any to any
> > block in log quick on xl0 all
> >
> > #################################################################
> > # Inside Interface
> > #################################################################
> >
> > #----------------------------------------------------------------
> > # Allow out all TCP, UDP, and ICMP traffic & keep state
> > #----------------------------------------------------------------
> > pass out quick on xl1 proto tcp from any to any keep state
> > pass out quick on xl1 proto udp from any to any keep state
> > pass out quick on xl1 proto icmp from any to any keep state
> > block out quick on xl1 all
> >
> >
> > #----------------------------------------------------------------
> > # Allow out all TCP, UDP, and ICMP traffic & keep state
> > #----------------------------------------------------------------
> > pass out quick on xl2 proto tcp from any to any keep state
> > pass out quick on xl2 proto udp from any to any keep state
> > pass out quick on xl2 proto icmp from any to any keep state
> > block out quick on xl2 all
> >
> >
> > #----------------------------------------------------------------
> > # Allow in all TCP, UDP, and ICMP traffic & keep state
> > #----------------------------------------------------------------
> > pass in quick on xl1 proto tcp from any to any keep state
> > pass in quick on xl1 proto udp from any to any keep state
> > pass in quick on xl1 proto icmp from any to any keep state
> > block in quick on xl1 all
> >
> >
> > #----------------------------------------------------------------
> > # Allow in all TCP, UDP, and ICMP traffic & keep state
> > #----------------------------------------------------------------
> > pass in quick on xl2 proto tcp from any to any keep state
> > pass in quick on xl2 proto udp from any to any keep state
> > pass in quick on xl2 proto icmp from any to any keep state
> > block in quick on xl2 all
> >
> > ipnat.rules
> >
> > map xl0 192.168.1.0/24 -> x.x.x.5/32 proxy port 21 ftp/tcp
> > map xl0 192.168.1.0/24 -> x.x.x.5/32 proxy port 1501 ftp/tcp
> > map xl0 192.168.2.0/24 -> x.x.x.5/32 proxy port 21 ftp/tcp
> > map xl0 192.168.1.0/24 -> x.x.x.5/32 portmap tcp/udp 40000:60000
> > map xl0 192.168.2.0/24 -> x.x.x.5/32 portmap tcp/udp 40000:60000
> > rdr xl0 0.0.0.0/0 port 25 -> 192.168.1.4 port 25 tcp
> > map xl0 192.168.1.0/24 -> x.x.x.5/32
> > map xl0 192.168.2.0/24 -> x.x.x.5/32
> >
> > John Lord(jlord@4jon.com)
> > Network Administrator
> > Studio for Publications Inc
> > 410-723-7089 Office
> > pageme@4jon.com Pager
> > www.4jon.com
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >
> >
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010626120112.H20511-100000>