From owner-freebsd-security@FreeBSD.ORG Sat May 10 07:18:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9F3B37B401 for ; Sat, 10 May 2003 07:18:14 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E0F943F85 for ; Sat, 10 May 2003 07:18:14 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com ([204.177.173.226]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h4AEID56030542; Sat, 10 May 2003 09:18:13 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3EBD0A81.50305@centtech.com> Date: Sat, 10 May 2003 09:19:45 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Michael Collette References: <200305100617.44245.metrol@metrol.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Security Subject: Re: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 14:18:15 -0000 Michael Collette wrote: >[..snip good stuff..] >The probs: > Apparently PPTP actually puts the remote machine IN the target network. >Sorry, I'm still pretty green on this PPTP stuff. Works a good bit different >than IPSec. Anyhow, once the remote box is connected all the connections to >the rest of the Internet are now coming from behind the firewall. That'd be >cool if it worked reliably. > While connected, when I attempt to browse around the public Internet some >pages just don't load, where others do. No rhyme or reason, and nothing >showing up in my logging of all denied packets via ipfw. For example, I can >hit CNN without a problem, then when I try news.google it never loads a page. >I can hit the main Yahoo page, but any of their other sites won't go. Really >odd. > >I'm not sure if I've got an ipfw or mpd problem at this point. I've tried a >dozen different ways to open up ipfw a LOT while still keeping it reasonably >closed. This thing is in production and all. If it'd help, I'll post the >relevant rule list here. > [..more snipping..] Ok, I saw these problems too.. Remember that the vpn'd client's data is coming through the firewall, to the ng0 interface, and then leaving from there (when "surfing the net"), so you will have to have NAT set up (of some sort) and make sure your rules are open enough to allow the firewall to send packets from the ng0 interface on out and have them natted.. Some of your pages are probably loading from a cache, and not others... also, you may want to add these lines to mpd.conf: set iface enable proxy-arp set iface mtu 1440 I found it fixed all my odd problems that I was having with XP clients.. Eric