Board index OpenBSD

PF Rules + pptp

PF Rules + pptp

Post by Ziad » Sun, 03 Nov 2002 20:49:11



HI all,

need a hand here as I am about to start pulling hairs out of my head.
I am trying to allow for an internal client to create a VPN/pptp
connection to an outside host from behind a OpenBSD 3.2 PF firewall.

Here are my current rules, could you please critique and let me know
what I am doing wrong or where I can improve on. There is only 1
client attempting to VPN out him being $SCUM.

I can see the connection going out using tcpdump but i dont "think" it
is being natted correctly on the way back in, HELP please!

# OPEN Packet Filtering Rules.

# Macro definitions
IF = "fxp0"
EXT_IP = "x.x.x.x"
INT_NET = "172.16.4.0/24"
ML="x.x.x.x"
SCUM = "172.16.4.5"

#Packet normalisation
scrub in all

########################### NAT
nat     on      $IF    from    $INT_NET to any -> $EXT_IP
binat on $IF proto { udp, tcp, gre } from $SCUM to $ML ->      $EXT_IP
rdr on $IF proto gre from $ML to $EXT_IP port 0 -> $SCUM port 0
rdr on $IF proto { tcp, udp } from $ML to $EXT_IP port 1723 -> $SCUM \
port 1723
################################################################################################

# VPN/GRE tunneling
pass in log on $IF inet proto tcp from $ML to any port 1732 flags S/SA
\  modulate state
#pass in quick on $IF inet proto tcp from $ML to $SCUM modulate state
#pass in quick on $IF proto gre from $ML to $SCUM keep state

# Block everything by default
block   out     log     on      $IF     all
block   in      log     on      $IF     all

# blocking rules for internal lan
block in log quick on $IF from {127.0.0.0/8, 10.0.0.0/8, \
172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32} to any

# All outgoing TCP and UDP traffic is allowed, so are ICMP
pass out on $IF inet proto tcp all modulate state
pass out on $IF inet proto icmp all keep state
pass out on $IF inet proto udp all keep state

#Block followig *ports from outside
block   in      log     on      $IF     proto udp from any to any    \
port    =       netbios-ssn
block   in      log     on      $IF     proto tcp from any to any    \
port    =       netbios-ssn

# Incoming TCP traffic to cetain ports is allowed.
#
pass    in              proto tcp from any to any port { www, ssh, \
ftp, https } flags S/SA modulate state
pass    in              proto udp from any to any port 10881 keep \
state

thanks guys

Ziad

 
 
 
Top

1. PF vs IPF keep state rules (was 'ipf to pf rules conversion problems')

2. KPPP always asks for root password!

3. nat rdr rules fail pf: BAD state: pf: State failure

4. Modem required for remote X software - HELP

5. PPTP Clients through 3.0 PF/NAT/GRE

6. how to create a driver disk

7. PPTP/NAT/IPSEC -> Woes of PF?

8. amr softmodem

9. pf (3.0) rules for router! Please help!

10. pf rules on dial-up

11. PF rule allowing specific IP's to pass

12. A pf rule "on the fly"

13. pf bridge rule set


All times are UTC
Board index