From owner-freebsd-security@FreeBSD.ORG Sat May 10 08:01:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A87CD37B401 for ; Sat, 10 May 2003 08:01:45 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id A13D143F3F for ; Sat, 10 May 2003 08:01:43 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 23376 invoked from network); 10 May 2003 14:55:42 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 10 May 2003 14:55:41 -0000 Received: (qmail 7620 invoked by uid 1000); 10 May 2003 14:59:15 -0000 Date: Sat, 10 May 2003 17:59:15 +0300 From: Peter Pentchev To: Chris BeHanna Message-ID: <20030510145915.GB79233@straylight.oblivion.bg> Mail-Followup-To: Chris BeHanna , FreeBSD Security References: <200305100617.44245.metrol@metrol.net> <200305101022.40307.behanna@zbzoom.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kORqDWCi7qDJ0mEj" Content-Disposition: inline In-Reply-To: <200305101022.40307.behanna@zbzoom.net> User-Agent: Mutt/1.5.4i cc: FreeBSD Security Subject: Re: Down the MPD road X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 15:01:46 -0000 --kORqDWCi7qDJ0mEj Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 10, 2003 at 10:22:40AM -0400, Chris BeHanna wrote: > On Saturday 10 May 2003 09:17, Michael Collette wrote: > > Well, after working through the various options it looked like MPD woul= d be > > my best bet here. I've got it sort of working, but there's obviously s= ome > > tweaky I'm missing here. > > > > Recap of the scenario: > > Full class C of static IPs segmented into 3 networks. Outside, DMZ, > > Inside. Trying to get remote Windows users through securely to the Insi= de. > > Remote users have dynamic IPs. > > > > What's working: > > MPD is running, and authenticating my test XP box via PPTP. No > > certificates or any IPSec involved here. > > I can hit boxes on the Inside really solid now. > > > > The probs: > > Apparently PPTP actually puts the remote machine IN the target networ= k. > > Sorry, I'm still pretty green on this PPTP stuff. Works a good bit > > different than IPSec. Anyhow, once the remote box is connected all the > > connections to the rest of the Internet are now coming from behind the > > firewall. That'd be cool if it worked reliably. > > While connected, when I attempt to browse around the public Internet = some > > pages just don't load, where others do. No rhyme or reason, and nothing > > showing up in my logging of all denied packets via ipfw. For example, I > > can hit CNN without a problem, then when I try news.google it never loa= ds a > > page. I can hit the main Yahoo page, but any of their other sites won't= go. > > Really odd. >=20 > Here is where we descend into Windows-bashing. For some STUPID > reason, when a Windows box connects to a VPN via PPTP, the Windows > box's default route is adjusted to go through the VPN connection. > This is fortunately fixable (Windows has a ROUTE command), but it > requires your users to have half a clue: >=20 > route delete 0.0.0.0 > route add 0.0.0.0 mask 0.0.0.0 gateway metric 1 > route add [InsideNetwork] mask [InsideMask] gateway [far end of VPN= =20 > tunnel] metric 1 I cannot test this right now, so it is quite probable that you are right, but couldn't this be controlled by the Properties >> Networking >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >> >> Use default gateway on remote network? Granted, that's a hell of a place to bury a little checkbox, but could this possibly help? :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence claims to be an Epimenides paradox, but it is lying. --kORqDWCi7qDJ0mEj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+vRPC7Ri2jRYZRVMRArGfAJ9Od7XrJQjDjPWzI1VVUyiNx+9YTQCdGRIy r3RfY45WC2gUdLT1Ka0RVfA= =w5tO -----END PGP SIGNATURE----- --kORqDWCi7qDJ0mEj--