From: Richard Ford (pmfirewall@cubok.com)
Date: Wed May 16 2001 - 13:11:29 PDT
G'Day All,
I thought that this list was emailed to you once subscribed??
Oh well, here goes, hope someone see this.
I have been trying to get VPN access for PPTP to work through my firewall to
a masqed PPTP server. A RH6.2 box with kernel 2.2.18 patched for masqed VPN
use.
A few points.
First line of my IPCHAINS:
ACCEPT tcp !y---- 0.0.0.0/0 203.37.71.24/29 * -> *
Now, I know that this will accept anything that does not have a SYN set. So
all packets that are just replies?
Now as soon as you answer 'Y' to any setup question like, do you run a SSH
server. Doesn't the whole issue of SYN bits and this line become useless?
As to establish a SSH connection, you would first send out a SYN headed
packet?
Should the system not have this line, then at the end of all rules or input
exceptions for say SSH, web, mail, etc, have it again or just why bother
having it?
Trying to get VPN to work. Now it does work, if I set all input and output
chains to default policy of accept and only add the basic rule to allow
outgoing masquerading. Oh, I also obviously have portforwading in place.
Doing this all is good!
Now I add in pmfirewall and some real security. it does not work.
I add these lines to pmfirewall.rules.local:
$IPCHAINS -A input -p tcp -s $REMOTENET 1723 -d $OUTERNET 1723 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET 1723 -d $OUTERNET 1723 -j ACCEPT
$IPCHAINS -A input -p tcp -s $REMOTENET 47 -d $OUTERNET 47 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET 47 -d $OUTERNET 47 -j ACCEPT
And nothing works. I know PPTP needs ports 1723 and 47 on tcp and udp to
work.
I add in these rules from a post in this mailing list:
$IPCHAINS -A input -p tcp -s $REMOTENET 1723 -d $OUTERNET -j ACCEPT
$IPCHAINS -A input -p 47 -s $REMOTENET -d $OUTERNET -j ACCEPT
And it works!
I remove rule number 2 above and restart and it does not work. I remove
rule one and add two and it works fine!!
So what is going on?
-p 47 means protocol 47 and not port 47 which is -P 47.
What is protocol 47 as there is no mention of it in /etc/protocols?
And why does this VPN masquerading work when I have not allowed ports 1723
and 47 on tcp and udp?
Why does rule 2 above allow all to work?
I remove rule 2 and this is what is logged in /var/log/messages:
May 17 17:38:12 rusty kernel: Packet log: input DENY eth0 PROTO=47
203.101.6.31:65535 203.*.*.*:65535 L=65 S=0x00 I=27627 F=0x0000 T=115 (#31)
So what is up?
What rules to I need and where? What logic have I mucked up! :)
Could we have this added to the install script?
Do you have any masqueraded (VPN) servers y/N?
What is their internal ip address??? etc.
And last question.
Are ipchains rules deleted at reset/shutdown time?
I have all these old seawall custom chains installed that I can't get rid
of? I delete them by hand by next reboot there they are?
I also added a rule my hand at the command line into the input and output
chains. Did some testing, then did a restart and the rules were still
there!!
Doesn't pmfirewall flush all chains before it adds it? Are chains saved
anywhere? How can I be sure that the policy in effect is the one I have
defined in pmfirewall.
Apart from al this, this software is great!
Cheers,
Richard.
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:41:37 PDT