Date: Sat, 10 May 2003 10:22:40 -0400 From: Chris BeHanna <behanna@zbzoom.net> To: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: Down the MPD road Message-ID: <200305101022.40307.behanna@zbzoom.net> In-Reply-To: <200305100617.44245.metrol@metrol.net> References: <200305100617.44245.metrol@metrol.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 10 May 2003 09:17, Michael Collette wrote:
> Well, after working through the various options it looked like MPD would be
> my best bet here. I've got it sort of working, but there's obviously some
> tweaky I'm missing here.
>
> Recap of the scenario:
> Full class C of static IPs segmented into 3 networks. Outside, DMZ,
> Inside. Trying to get remote Windows users through securely to the Inside.
> Remote users have dynamic IPs.
>
> What's working:
> MPD is running, and authenticating my test XP box via PPTP. No
> certificates or any IPSec involved here.
> I can hit boxes on the Inside really solid now.
>
> The probs:
> Apparently PPTP actually puts the remote machine IN the target network.
> Sorry, I'm still pretty green on this PPTP stuff. Works a good bit
> different than IPSec. Anyhow, once the remote box is connected all the
> connections to the rest of the Internet are now coming from behind the
> firewall. That'd be cool if it worked reliably.
> While connected, when I attempt to browse around the public Internet some
> pages just don't load, where others do. No rhyme or reason, and nothing
> showing up in my logging of all denied packets via ipfw. For example, I
> can hit CNN without a problem, then when I try news.google it never loads a
> page. I can hit the main Yahoo page, but any of their other sites won't go.
> Really odd.
Here is where we descend into Windows-bashing. For some STUPID
reason, when a Windows box connects to a VPN via PPTP, the Windows
box's default route is adjusted to go through the VPN connection.
This is fortunately fixable (Windows has a ROUTE command), but it
requires your users to have half a clue:
route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 gateway <ISP gateway> metric 1
route add [InsideNetwork] mask [InsideMask] gateway [far end of VPN
tunnel] metric 1
> I'm not sure if I've got an ipfw or mpd problem at this point. I've tried
> a dozen different ways to open up ipfw a LOT while still keeping it
> reasonably closed. This thing is in production and all. If it'd help,
> I'll post the relevant rule list here.
That would help, undoubtedly. One thing that I did (using my
FreeBSD box as an mpd client to a Windows RAS box) was this:
${fwcmd} add check-state
${fwcmd} add pass all from any to ${vpnbox} keep-state
That made it possible for me to VPN in from FreeBSD. You may need to
add some similar stateful rule for the other direction, so that all
packets destined to the outbound machines are just let through, period
(because you don't know their IP addresses in advance). That may be
too wide open; someone else can comment.
Another thing you could try is to explicitly pass all out over ng0.
> [...mpd config...]
I didn't see anything glaringly obviously wrong there.
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
Turning coffee into software since 1990.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305101022.40307.behanna>