From owner-freebsd-security@FreeBSD.ORG Mon Jun 30 11:02:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 951CA37B401 for ; Mon, 30 Jun 2003 11:02:55 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C96274400B for ; Mon, 30 Jun 2003 11:02:50 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h5UI2oUp084083 for ; Mon, 30 Jun 2003 11:02:50 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h5UI2o9k084077 for security@freebsd.org; Mon, 30 Jun 2003 11:02:50 -0700 (PDT) Date: Mon, 30 Jun 2003 11:02:50 -0700 (PDT) Message-Id: <200306301802.h5UI2o9k084077@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jun 2003 18:02:55 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Mon Jun 30 19:12:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6747737B401 for ; Mon, 30 Jun 2003 19:12:21 -0700 (PDT) Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2A7C44011 for ; Mon, 30 Jun 2003 19:12:19 -0700 (PDT) (envelope-from koroush.saraf@lmco.com) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw2a.lmco.com (8.11.6p2/8.11.6) with ESMTP id h612CJi21408 for ; Mon, 30 Jun 2003 22:12:19 -0400 (EDT) Received: from CONVERSION-DAEMON.lmco.com by lmco.com (PMDF V6.1-1 #40643) id <0HHB00H01Q4IG7@lmco.com> for freebsd-security@freebsd.org; Mon, 30 Jun 2003 19:12:18 -0700 (PDT) Received: from BSDWIN2KKOROUSH ([129.197.244.4]) by lmco.com (PMDF V6.1-1 #40643) with SMTP id <0HHB00AKQQ4H0F@lmco.com> for freebsd-security@freebsd.org; Mon, 30 Jun 2003 19:12:17 -0700 (PDT) Date: Mon, 30 Jun 2003 19:12:04 -0700 From: Koroush Saraf To: freebsd-security@freebsd.org Message-id: <006c01c33f76$2a480680$04f4c581@BSDWIN2KKOROUSH> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-Priority: 3 X-MSMail-priority: Normal Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: 7BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Fw: VPN setup problem - proxy arp I think X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2003 02:12:21 -0000 Hi all, I read the setup at http://www.blackh0le.net/articles/vpn-dun-howto.html to setup my VPN. However, I'm having a problem which I think is proxy-ARP not working. I like to ask you to see if you know what's going on. When I ping 10.77.1.1 from windows XP machine the packets get to the 10.77.1.1 machine, but they don't have a return path to get back. When I do ping the windows machine from 10.77.1.1 I get: ping: sendto: Host is down When I add static route to 10.77.1.1 the machines can talk to each other. (route add 10.77.1.50/32 10.77.1.2) But I don't think I need to setup a static route if Proxy ARP worked! I've included my config files in this email. Please note that the I get a message back saying "[pptp1] no interface to proxy arp on for 10.77.1.50" could this be my problem? how can I fix it? Thanks very much, ~koroush ========================= I network looks as follows Freebsd 4.6 IP 10.77.1.1/24 | | fxp0:10.77.1.2/24 Freebsd 4.8 (DELL2) (only 1 network card) ng0: 10.77.13 | | Windows XP machine with tunnel. 10.77.1.50 ================== Config files for Dell 2: DELL2# ifconfig -a fxp0: flags=8843 mtu 1500 inet 129.197.244.10 netmask 0xfffffff0 broadcast 129.197.244.15 inet 10.0.0.249 netmask 0xffffff00 broadcast 10.0.0.255 inet 10.77.1.2 netmask 0xffffff00 broadcast 10.77.1.255 inet 10.77.2.2 netmask 0xffffff00 broadcast 10.77.2.255 inet 10.77.3.2 netmask 0xffffff00 broadcast 10.77.3.255 inet 10.77.4.2 netmask 0xffffff00 broadcast 10.77.4.255 inet 10.77.5.2 netmask 0xffffff00 broadcast 10.77.5.255 ether 00:07:e9:87:ca:4f media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 lo1: flags=8008 mtu 16384 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 ng0: flags=88d1 mtu 1256 inet 10.77.1.2 --> 10.77.1.50 netmask 0xffffffff ng1: flags=8890 mtu 1500 ng2: flags=8890 mtu 1500 ng3: flags=8890 mtu 1500 ng4: flags=8890 mtu 1500 =============== DELL2# pwd /usr/local/etc/mpd DELL2# cat mpd.conf default: load client1 load client2 load client3 load client4 load client5 pptp_common_settings: set link type pptp set pptp enable incoming set pptp disable originate set iface disable on-demand set iface enable proxy-arp # set iface idle 1800 set bundle enable multilink set link yes acfcomp protocomp set link no pap chap set link enable chap # set link keep-alive 10 60 set link mtu 1260 set ipcp yes vjcomp # set ipcp ranges 10.77.1.1/32 10.77.1.50/32 # set ipcp dns 10.77.1.1 # set ipcp nbns 10.77.1.1 set bundle enable compression set ccp yes mppc set ccp yes mpp-e40 # set ccp yes mpp-e128 set ccp yes mpp-stateless client1: new -i ng0 pptp1 pptp1 set ipcp range 10.77.1.2/24 10.77.1.50/24 load pptp_common_settings client2: new -i ng1 pptp2 pptp2 set ipcp range 10.77.2.2/32 10.77.2.50/32 load pptp_common_settings client3: new -i ng2 pptp3 pptp3 set ipcp range 10.77.3.3/32 10.77.3.50/32 load pptp_common_settings client4: new -i ng3 pptp4 pptp4 set ipcp range 10.77.4.3/32 10.77.4.50/32 load pptp_common_settings client5: new -i ng4 pptp5 pptp5 set ipcp range 10.77.5.3/32 10.77.5.50/32 load pptp_common_settings DELL2# ===================== DELL2# cat mpd.secret demo1 "demo1" 10.77.1.50/24 demo2 "demo2" 10.77.2.50/24 demo3 "demo3" 10.77.3.50/24 demo4 "demo4" 10.77.4.50/24 demo5 "demo5" 10.77.5.50/24 ========RUN TIME ======== DELL2# mdp default mdp: Command not found. DELL2# mpd default Multi-link PPP for FreeBSD, by Archie L. Cobbs. Based on iij-ppp, by Toshiharu OHNO. mpd: pid 281, version 3.13 (root@DELL2.lmms.lmco.com 09:44 23-Jun-2003) [pptp1] ppp node is "mpd281-pptp1" mpd: local IP address for PPTP is 129.197.244.10 [pptp1] using interface ng0 [pptp1] device type already set to pptp [pptp2] ppp node is "mpd281-pptp2" [pptp2] using interface ng1 [pptp2] device type already set to pptp [pptp3] ppp node is "mpd281-pptp3" [pptp3] using interface ng2 [pptp3] device type already set to pptp [pptp4] ppp node is "mpd281-pptp4" [pptp4] using interface ng3 [pptp4] device type already set to pptp [pptp5] ppp node is "mpd281-pptp5" [pptp5] using interface ng4 [pptp5] device type already set to pptp [pptp5:pptp5] mpd: PPTP connection from 129.197.244.12:1127 pptp0: attached to connection with 129.197.244.12:1127 [pptp1] IFACE: Open event [pptp1] IPCP: Open event [pptp1] IPCP: state change Initial --> Starting [pptp1] IPCP: LayerStart [pptp1] IPCP: Open event [pptp1] bundle: OPEN event in state CLOSED [pptp1] opening link "pptp1"... [pptp1] link: OPEN event [pptp1] LCP: Open event [pptp1] LCP: state change Initial --> Starting [pptp1] LCP: LayerStart [pptp1] device: OPEN event in state DOWN [pptp1] attaching to peer's outgoing call [pptp1] device is now in state OPENING [pptp1] device: UP event in state OPENING [pptp1] device is now in state UP [pptp1] link: UP event [pptp1] link: origination is remote [pptp1] LCP: Up event [pptp1] LCP: state change Starting --> Req-Sent [pptp1] LCP: phase shift DEAD --> ESTABLISH [pptp1] LCP: SendConfigReq #1 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 5611757b AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 07 e9 87 ca 4f pptp0-0: ignoring SetLinkInfo [pptp1] LCP: rec'd Configure Request #0 link 0 (Req-Sent) MRU 1400 MAGICNUM 4d905023 PROTOCOMP ACFCOMP CALLBACK Not supported [pptp1] LCP: SendConfigRej #0 CALLBACK [pptp1] LCP: rec'd Configure Request #1 link 0 (Req-Sent) MRU 1400 MAGICNUM 4d905023 PROTOCOMP ACFCOMP [pptp1] LCP: SendConfigAck #1 MRU 1400 MAGICNUM 4d905023 PROTOCOMP ACFCOMP [pptp1] LCP: state change Req-Sent --> Ack-Sent [pptp1] LCP: SendConfigReq #2 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 5611757b AUTHPROTO CHAP MSOFTv2 MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 07 e9 87 ca 4f [pptp1] LCP: rec'd Configure Reject #2 link 0 (Ack-Sent) MP MRRU 1600 MP SHORTSEQ ENDPOINTDISC [802.1] 00 07 e9 87 ca 4f [pptp1] LCP: SendConfigReq #3 ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 5611757b AUTHPROTO CHAP MSOFTv2 [pptp1] LCP: rec'd Configure Ack #3 link 0 (Ack-Sent) ACFCOMP PROTOCOMP MRU 1500 MAGICNUM 5611757b AUTHPROTO CHAP MSOFTv2 [pptp1] LCP: state change Ack-Sent --> Opened [pptp1] LCP: phase shift ESTABLISH --> AUTHENTICATE [pptp1] LCP: auth: peer wants nothing, I want CHAP [pptp1] CHAP: sending CHALLENGE [pptp1] LCP: LayerUp [pptp1] LCP: rec'd Ident #2 link 0 (Opened) MESG: MSRASV5.10 pptp0-0: ignoring SetLinkInfo [pptp1] LCP: rec'd Ident #3 link 0 (Opened) MESG: MSRAS-1-DELL4 [pptp1] CHAP: rec'd RESPONSE #1 Name: "demo1" Peer name: "demo1" Response is valid [pptp1] CHAP: sending SUCCESS [pptp1] LCP: authorization successful [pptp1] LCP: phase shift AUTHENTICATE --> NETWORK [pptp1] setting interface ng0 MTU to 1260 bytes [pptp1] up: 1 link, total bandwidth 64000 bps [pptp1] IPCP: Up event [pptp1] IPCP: state change Starting --> Req-Sent [pptp1] IPCP: SendConfigReq #1 IPADDR 10.77.1.2 COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [pptp1] CCP: Open event [pptp1] CCP: state change Initial --> Starting [pptp1] CCP: LayerStart [pptp1] CCP: Up event [pptp1] CCP: state change Starting --> Req-Sent [pptp1] CCP: SendConfigReq #1 MPPC 0x01000020: MPPE, 40 bit, stateless [pptp1] CCP: rec'd Configure Request #4 link 0 (Req-Sent) MPPC 0x01000001: MPPC [pptp1] CCP: SendConfigNak #4 MPPC 0x01000020: MPPE, 40 bit, stateless [pptp1] IPCP: rec'd Configure Request #5 link 0 (Req-Sent) IPADDR 0.0.0.0 NAKing with 10.77.1.50 PRIDNS 0.0.0.0 PRINBNS 0.0.0.0 SECDNS 0.0.0.0 SECNBNS 0.0.0.0 [pptp1] IPCP: SendConfigRej #5 PRIDNS 0.0.0.0 PRINBNS 0.0.0.0 SECDNS 0.0.0.0 SECNBNS 0.0.0.0 [pptp1] IPCP: rec'd Configure Reject #1 link 0 (Req-Sent) COMPPROTO VJCOMP, 16 comp. channels, no comp-cid [pptp1] IPCP: SendConfigReq #2 IPADDR 10.77.1.2 [pptp1] CCP: rec'd Configure Ack #1 link 0 (Req-Sent) MPPC 0x01000020: MPPE, 40 bit, stateless [pptp1] CCP: state change Req-Sent --> Ack-Rcvd [pptp1] CCP: rec'd Configure Request #6 link 0 (Ack-Rcvd) MPPC 0x01000020: MPPE, 40 bit, stateless [pptp1] CCP: SendConfigAck #6 MPPC 0x01000020: MPPE, 40 bit, stateless [pptp1] CCP: state change Ack-Rcvd --> Opened [pptp1] CCP: LayerUp Compress using: MPPE, 40 bit, stateless Decompress using: MPPE, 40 bit, stateless [pptp1] setting interface ng0 MTU to 1256 bytes [pptp1] IPCP: rec'd Configure Request #7 link 0 (Req-Sent) IPADDR 0.0.0.0 NAKing with 10.77.1.50 [pptp1] IPCP: SendConfigNak #7 IPADDR 10.77.1.50 [pptp1] IPCP: rec'd Configure Ack #2 link 0 (Req-Sent) IPADDR 10.77.1.2 [pptp1] IPCP: state change Req-Sent --> Ack-Rcvd [pptp1] IPCP: rec'd Configure Request #8 link 0 (Ack-Rcvd) IPADDR 10.77.1.50 10.77.1.50 is OK [pptp1] IPCP: SendConfigAck #8 IPADDR 10.77.1.50 [pptp1] IPCP: state change Ack-Rcvd --> Opened [pptp1] IPCP: LayerUp 10.77.1.2 -> 10.77.1.50 [pptp1] IFACE: Up event [pptp1] setting interface ng0 MTU to 1256 bytes [pptp1] exec: /sbin/ifconfig ng0 10.77.1.2 10.77.1.50 netmask 0xffffffff -link0 [pptp1] no interface to proxy arp on for 10.77.1.50 [pptp1] exec: /sbin/route add 10.77.1.2 -iface lo0 [pptp1] IFACE: Up event From owner-freebsd-security@FreeBSD.ORG Tue Jul 1 02:22:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE35337B401 for ; Tue, 1 Jul 2003 02:22:39 -0700 (PDT) Received: from murmeldjur.it.su.se (murmeldjur.it.su.se [130.237.95.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F2D543FF7 for ; Tue, 1 Jul 2003 02:22:38 -0700 (PDT) (envelope-from rnyberg@it.su.se) Received: from murmeldjur.it.su.se (localhost [127.0.0.1]) by murmeldjur.it.su.se (8.12.9/8.12.9) with ESMTP id h619Maxc049186 for ; Tue, 1 Jul 2003 11:22:36 +0200 (CEST) (envelope-from rnyberg@it.su.se) Date: Tue, 01 Jul 2003 11:22:36 +0200 Message-ID: From: Richard Nyberg To: security@FreeBSD.org User-Agent: Wanderlust/2.10.0 (Venus) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.4 Emacs/21.3 (i386--freebsd) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII Subject: pam_krb5 and xdm X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2003 09:22:40 -0000 pam_krb5 work perfectly with login(1), ie. I can login and I get a TGT. With xdm however, I can still login with my kerberos pass, but I don't get the TGT :( -Richard From owner-freebsd-security@FreeBSD.ORG Tue Jul 1 04:32:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 856C937B401 for ; Tue, 1 Jul 2003 04:32:52 -0700 (PDT) Received: from smtp.uninet.ee (smtp.uninet.ee [194.204.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D7AF44022 for ; Tue, 1 Jul 2003 04:32:51 -0700 (PDT) (envelope-from tarmo@momentor.ee) Received: from linux.local (wannabe.mentor.ee [194.204.62.142]) by smtp.uninet.ee (Postfix) with ESMTP id 4539561652 for ; Tue, 1 Jul 2003 14:32:49 +0300 (EEST) From: Tarmo Renter To: freebsd-security@freebsd.org Date: Tue, 1 Jul 2003 14:32:54 +0300 User-Agent: KMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307011432.54750.tarmo@momentor.ee> Subject: tcp 22 > tcp 22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2003 11:32:52 -0000 Hi, I spotted today following line at my FreeBSD 4.6.2-RELEASE IPFIREWALL log: Jul 1 13:34:35 fbsd /kernel: ipfw: 1400 Accept TCP xxxxxx:22 yyyyy:22 in via ed1 where xxxxxx is the attacker's IP and yyyyy is my box. But in sshd log, there are no traces left behind by this connection. Normally, there is "Did not receive identification string from xxx" etc, when somebody tries to scan SSH port. Also, as you can see, the connection is made from port 22 to port 22, which is odd. Is this somekind of SYN packet trick and how come is no I/O to sshd made? sshd -v shows: sshd version OpenSSH_3.4p1 FreeBSD-20020702 --- Regards, Tarmo Renter From owner-freebsd-security@FreeBSD.ORG Tue Jul 1 17:28:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A24A137B401 for ; Tue, 1 Jul 2003 17:28:04 -0700 (PDT) Received: from la-mail2.digilink.net (la2.digilink.net [205.147.0.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id F24E143FA3 for ; Tue, 1 Jul 2003 17:28:03 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metrol@metrol.net (mail.testequity.net [205.147.16.57]) by la-mail2.digilink.net (8.12.9/8.12.9) with ESMTP id h620Rurf019515 for ; Tue, 1 Jul 2003 17:27:57 -0700 (PDT) From: Michael Collette To: Koroush Saraf Date: Tue, 1 Jul 2003 17:24:31 -0700 User-Agent: KMail/1.5.2 References: <006c01c33f76$2a480680$04f4c581@BSDWIN2KKOROUSH> In-Reply-To: <006c01c33f76$2a480680$04f4c581@BSDWIN2KKOROUSH> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307011724.31009.metrol@metrol.net> cc: FreeBSD Security Subject: Re: Fw: VPN setup problem - proxy arp I think X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jul 2003 00:28:05 -0000 Koroush, Couple of notes included within your config. A few comments to follow, along with a version of my working mpd.conf file. Moving along.... On Monday 30 June 2003 07:12 pm, Koroush Saraf wrote: > Hi all, > > I read the setup at http://www.blackh0le.net/articles/vpn-dun-howto.html to > setup my VPN. However, I'm having a problem which I think is proxy-ARP not > working. I like to ask you to see if you know what's going on. When I > ping 10.77.1.1 from windows XP machine the packets get to the 10.77.1.1 > machine, but they don't have a return path to get back. When I do ping the > windows machine from 10.77.1.1 I get: ping: sendto: Host is down > > When I add static route to 10.77.1.1 the machines can talk to each other. > (route add 10.77.1.50/32 10.77.1.2) > But I don't think I need to setup a static route if Proxy ARP worked! > > I've included my config files in this email. Please note that the I get a > message back saying "[pptp1] no interface to proxy arp on for 10.77.1.50" > could this be my problem? how can I fix it? Thanks very much, > ~koroush A couple of points I don't believe the article in question addresses. First off, several folks on this list and around web sites recommended changes to the MTU. Usually the recommendation was to increase it to larger than 1400. This can no longer be done. XP will not recognize anything above 1400, and making it smaller fixes nothing. You should not need to add any static routing information to the IP stack of either the FreeBSD box or the Windows one. Both MPD and PPTP handle the routing issues for you. Leave each box pointing to their usual default gateway. The way this works is that when the PPTP client connects to MPD it is actually given an IP address within the secure segment of your network. Packets route through MPD rather than through the normal IP stack. It is REALLY important that you find the setting in Windows to turn off "Use remote gateway by default" in the PPTP properties. This is on by default, and will cause you problems. Also be sure to turn off software compression in the PPTP properties. Even if turned on in MPD it will not work, and will very likely mess up your connection. > ========================= > > > I network looks as follows > > Freebsd 4.6 > IP 10.77.1.1/24 > > > fxp0:10.77.1.2/24 > Freebsd 4.8 (DELL2) (only 1 network card) > ng0: 10.77.13 > > > Windows XP machine with tunnel. > 10.77.1.50 > > > > ================== > Config files for Dell 2: > DELL2# ifconfig -a > fxp0: flags=8843 mtu 1500 > inet 129.197.244.10 netmask 0xfffffff0 broadcast 129.197.244.15 > inet 10.0.0.249 netmask 0xffffff00 broadcast 10.0.0.255 > inet 10.77.1.2 netmask 0xffffff00 broadcast 10.77.1.255 > inet 10.77.2.2 netmask 0xffffff00 broadcast 10.77.2.255 > inet 10.77.3.2 netmask 0xffffff00 broadcast 10.77.3.255 > inet 10.77.4.2 netmask 0xffffff00 broadcast 10.77.4.255 > inet 10.77.5.2 netmask 0xffffff00 broadcast 10.77.5.255 > ether 00:07:e9:87:ca:4f > media: Ethernet autoselect (100baseTX ) > status: active > lp0: flags=8810 mtu 1500 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > lo1: flags=8008 mtu 16384 > ppp0: flags=8010 mtu 1500 > sl0: flags=c010 mtu 552 > faith0: flags=8002 mtu 1500 > ng0: flags=88d1 mtu 1256 > inet 10.77.1.2 --> 10.77.1.50 netmask 0xffffffff > ng1: flags=8890 mtu 1500 > ng2: flags=8890 mtu 1500 > ng3: flags=8890 mtu 1500 > ng4: flags=8890 mtu 1500 > > =============== > > DELL2# pwd > /usr/local/etc/mpd > DELL2# cat mpd.conf > default: > load client1 > load client2 > load client3 > load client4 > load client5 > > pptp_common_settings: > set link type pptp > set pptp enable incoming > set pptp disable originate > set iface disable on-demand > set iface enable proxy-arp > # set iface idle 1800 > set bundle enable multilink > set link yes acfcomp protocomp > set link no pap chap > set link enable chap > # set link keep-alive 10 60 > set link mtu 1260 As stated, the max XP MTP is 1400. Use it. 1260 is too darn small for a reasonably fast connection. > set ipcp yes vjcomp > # set ipcp ranges 10.77.1.1/32 10.77.1.50/32 > # set ipcp dns 10.77.1.1 > # set ipcp nbns 10.77.1.1 > set bundle enable compression > set ccp yes mppc > set ccp yes mpp-e40 > # set ccp yes mpp-e128 Turn off the 40, turn on the 128. Only Windows 98 and older need 40-bit encryption. For older versions of Windows you just need to download the latest DUN. I believe it's at 1.4. It is still very much available from the Microsoft web site. > set ccp yes mpp-stateless > > client1: > new -i ng0 pptp1 pptp1 > set ipcp range 10.77.1.2/24 10.77.1.50/24 > load pptp_common_settings And now my mpd.conf. The first 3 octets replaced with x.x.x for security reasons. The 254 address is my secure interface port. I've only shown 2 clients here, though my config actually has over 20. Figured this would be enough for you to get the gist of things. ========================================================================== default: load client00 load client01 client00: new -i ng0 pptp0 pptp0 set ipcp ranges x.x.x.254/32 x.x.x.210/25 load clientStandard client01: new -i ng1 pptp1 pptp1 set ipcp ranges x.x.x.254/32 x.x.x.211/25 load clientStandard clientStandard: set iface disable on-demand set iface enable proxy-arp set iface idle 3600 set iface mtu 1400 set bundle disable multilink set bundle enable compression set bundle yes crypt-reqd set link mtu 1400 set link no pap chap set link enable chap set link keep-alive 10 60 set link yes acfcomp protocomp set ipcp dns x.x.x.253 set ipcp nbns x.x.x.253 set ipcp yes vjcomp set ccp yes mppc # set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless set ccp enable mpp-compress ========================================================================== Yes, I know some of this goes against some of my earlier advice. This is pretty much where I just stopped tweaking on the darn thing. This config file does work, as I have outside users coming through it every day now. Gotta love a world with FreeBSD in it! :) Let me know how it goes! Later on, -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein From owner-freebsd-security@FreeBSD.ORG Wed Jul 2 00:19:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3644237B499 for ; Wed, 2 Jul 2003 00:19:34 -0700 (PDT) Received: from mx2.drweb.ru (blag1.drweb.ru [62.16.103.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A15043FA3 for ; Wed, 2 Jul 2003 00:19:32 -0700 (PDT) (envelope-from nikolaj@drweb.ru) Received: from ppp252.leivo.ru (ppp252.leivo.ru [194.105.199.252]) by mx2.drweb.ru (Postfix) with ESMTP id 86AD2AC64 for ; Wed, 2 Jul 2003 11:19:24 +0400 (MSD) Date: Wed, 2 Jul 2003 11:19:23 +0400 From: "Nikolaj I. Potanin" X-Mailer: The Bat! (v1.61) Business Organization: ID Anti-Virus Lab (SalD Ltd) X-Priority: 3 (Normal) Message-ID: <1881663278.20030702111923@drweb.ru> To: freebsd-security@freebsd.org In-Reply-To: <200307011432.54750.tarmo@momentor.ee> References: <200307011432.54750.tarmo@momentor.ee> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: tcp 22 > tcp 22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jul 2003 07:19:35 -0000 > Jul 1 13:34:35 fbsd /kernel: ipfw: 1400 Accept TCP xxxxxx:22 yyyyy:22 in via > ed1 > where xxxxxx is the attacker's IP and yyyyy is my box. > Also, as you can see, the connection is made from port 22 to port 22, which is > odd. http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22441 - maybe this could explain your case? -- Nikolaj I. Potanin, SA http://www.drweb.ru ID Anti-Virus Lab (SalD Ltd) nikolaj@drweb.ru St. Petersburg, Russia ph.: +7-812-3888624