Date: Tue, 26 Jun 2001 10:30:37 -0400 From: "John Lord" <lord@4jon.com> To: "Joe Clarke" <marcus@marcuscom.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: RE: can get mpd (ptpp) to work firewall Message-ID: <9EB046F82A95DD4DAB74BF7FF4E48BA97790@Server.studio.4jon.com>
next in thread | raw e-mail | index | archive | help
it does connect if I turn off my firewall, so I guessing a have some rule in ipfilter that needs to be changed , if i add pass in quick from any to any it lets me connect but i still cant ping the box at its internal ip 192.168.1.1. are you running ipfilter on your box also? I must be over looking something simple out side nic=20 pass out quick on xl0 proto tcp from any to any keep state pass out quick on xl0 proto udp from any to any keep state pass out quick on xl0 proto icmp from any to any keep state pass out quick on xl0 proto gre from any to any block out quick on xl0 all pass in quick on xl0 proto tcp from any to 192.168.1.4 port =3D 25 keep state pass in quick proto tcp from any to any port =3D 22 keep state keep = frags pass in quick proto tcp from any to any port =3D 47 keep state keep = frags pass in quick proto tcp from any to any port =3D 1723 keep state keep frags block return-rst in log quick on xl0 proto tcp from any to any block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any block in log quick on xl0 all inside nic 192.168.1.1 pass out quick on xl1 proto tcp from any to any keep state pass out quick on xl1 proto udp from any to any keep state pass out quick on xl1 proto icmp from any to any keep state block out quick on xl1 all pass in quick on xl1 proto tcp from any to any keep state pass in quick on xl1 proto udp from any to any keep state pass in quick on xl1 proto icmp from any to any keep state block in quick on xl1 all John Lord(jlord@4jon.com) Network Administrator Studio for Publications Inc 410-723-7089 Office pageme@4jon.com Pager www.4jon.com -----Original Message----- From: Joe Clarke [mailto:marcus@marcuscom.com] Sent: Monday, June 25, 2001 10:05 PM To: John Lord Cc: freebsd-questions@FreeBSD.ORG Subject: Re: can get mpd (ptpp) to work firewall I think I see your problem. It looks like you're trying to do MS CHAP, but you might not have compiled mpd with libdes present. If this is the case, you won't be able to do MS CHAP. You should install the crypto distribution from sysinstall, then recompile mpd. I have this setup working for 95, 98, and 2000 boxes. If you need further help with mpd, and those clients, let me know. Joe Clarke On Mon, 25 Jun 2001, John Lord wrote: > OK i got a freebsd 4.3 stable box running the mpd fromthe ports > collection Version 3.2. I have ipfilter running my firewall below is the > mpd log as i try to connect, after that is a log if i disable the > firewall and it connects but gives me 63.238.170.52 for the ip and i > have no clue as to where it is getting it from. so first off I need to > figure out what im my firewall settings are blocking the ptpp > connections and then why it wont give me an ip for inside my network. > anybody got a clue about any of this? > > Multi-link PPP for FreeBSD, by Archie L. Cobbs. > Based on iij-ppp, by Toshiharu OHNO. > mpd: pid 378, version 3.2 (root@crispy.thewetlandsinc.com 21:55 > 20-Jun-2001) > [Pptp0] ppp node is "mpd378-Pptp0" > [Pptp0] using interface ng0 > mpd: local IP address for PPTP is x.x.x.5 > [Pptp0:Pptp0] mpd: PPTP connection from x.x.x.10:4926 > pptp0: attached to connection with x.x.x.10:4926 > [Pptp0] IFACE: Open event > [Pptp0] IPCP: Open event > [Pptp0] IPCP: state change Initial --> Starting > [Pptp0] IPCP: LayerStart > [Pptp0] IPCP: Open event > [Pptp0] bundle: OPEN event in state CLOSED > [Pptp0] opening link "Pptp0"... > [Pptp0] link: OPEN event > [Pptp0] LCP: Open event > [Pptp0] LCP: state change Initial --> Starting > [Pptp0] LCP: LayerStart > [Pptp0] device: OPEN event in state DOWN > [Pptp0] attaching to peer's outgoing call > [Pptp0] device is now in state OPENING > [Pptp0] device: UP event in state OPENING > [Pptp0] device is now in state UP > [Pptp0] link: UP event > [Pptp0] link: origination is remote > [Pptp0] LCP: Up event > [Pptp0] LCP: state change Starting --> Req-Sent > [Pptp0] LCP: phase shift DEAD --> ESTABLISH > [Pptp0] LCP: SendConfigReq #1 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM e43e9586 > AUTHPROTO CHAP MSOFT > pptp0-0: ignoring SetLinkInfo > [Pptp0] LCP: SendConfigReq #2 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM e43e9586 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: SendConfigReq #3 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM e43e9586 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: SendConfigReq #4 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM e43e9586 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: SendConfigReq #5 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM e43e9586 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: SendConfigReq #6 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM e43e9586 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: SendConfigReq #7 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM e43e9586 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: SendConfigReq #8 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM e43e9586 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: SendConfigReq #9 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM e43e9586 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: SendConfigReq #10 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM e43e9586 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: state change Req-Sent --> Stopped > [Pptp0] LCP: LayerFinish > [Pptp0] LCP: parameter negotiation failed > [Pptp0] LCP: LayerFinish > [Pptp0] device: CLOSE event in state UP > pptp0-0: clearing call > pptp0-0: killing channel > [Pptp0] PPTP call terminated > [Pptp0] IFACE: Close event > [Pptp0] IPCP: Close event > [Pptp0] IPCP: state change Starting --> Initial > [Pptp0] IPCP: LayerFinish > [Pptp0] IFACE: Close event > pptp0: closing connection with x.x.x.10:4926 > [Pptp0] IFACE: Close event > [Pptp0] device is now in state CLOSING > [Pptp0] bundle: CLOSE event in state OPENED > [Pptp0] closing link "Pptp0"... > [Pptp0] device: CLOSE event in state CLOSING > [Pptp0] device is now in state CLOSING > pptp0: invalid length 16 for type 4 > pptp0: killing connection with x.x.x.10:4926 > [Pptp0] link: CLOSE event > [Pptp0] LCP: Close event > [Pptp0] LCP: state change Stopped --> Closed > [Pptp0] device: DOWN event in state CLOSING > [Pptp0] device is now in state DOWN > [Pptp0] link: DOWN event > [Pptp0] LCP: Down event > [Pptp0] LCP: state change Closed --> Initial > [Pptp0] LCP: phase shift ESTABLISH --> DEAD > [Pptp0] device: DOWN event in state DOWN > [Pptp0] device is now in state DOWN > [Pptp0] link: DOWN event > [Pptp0] LCP: Down event > > > log from when it connects with firewall wide open > > Multi-link PPP for FreeBSD, by Archie L. Cobbs. > Based on iij-ppp, by Toshiharu OHNO. > mpd: pid 439, version 3.2 (root@crispy.thewetlandsinc.com 21:55 > 20-Jun-2001) > [Pptp0] ppp node is "mpd439-Pptp0" > [Pptp0] using interface ng0 > mpd: local IP address for PPTP is x.x.x.5 > [Pptp0:Pptp0] mpd: PPTP connection from x.x.x.10:1064 > pptp0: attached to connection with x.x.x.10:1064 > [Pptp0] IFACE: Open event > [Pptp0] IPCP: Open event > [Pptp0] IPCP: state change Initial --> Starting > [Pptp0] IPCP: LayerStart > [Pptp0] IPCP: Open event > [Pptp0] bundle: OPEN event in state CLOSED > [Pptp0] opening link "Pptp0"... > [Pptp0] link: OPEN event > [Pptp0] LCP: Open event > [Pptp0] LCP: state change Initial --> Starting > [Pptp0] LCP: LayerStart > [Pptp0] device: OPEN event in state DOWN > [Pptp0] attaching to peer's outgoing call > [Pptp0] device is now in state OPENING > [Pptp0] device: UP event in state OPENING > [Pptp0] device is now in state UP > [Pptp0] link: UP event > [Pptp0] link: origination is remote > [Pptp0] LCP: Up event > [Pptp0] LCP: state change Starting --> Req-Sent > [Pptp0] LCP: phase shift DEAD --> ESTABLISH > [Pptp0] LCP: SendConfigReq #1 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM 14eff6b3 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: rec'd Configure Request #0 link 0 (Req-Sent) > MAGICNUM 5fbf582c > PROTOCOMP > ACFCOMP > CALLBACK > Not supported > MP MRRU 1614 > ENDPOINTDISC [802.1] 00 10 4b 66 27 18 > [Pptp0] LCP: SendConfigRej #0 > CALLBACK > MP MRRU 1614 > [Pptp0] LCP: rec'd Configure Request #1 link 0 (Req-Sent) > MAGICNUM 5fbf582c > PROTOCOMP > ACFCOMP > ENDPOINTDISC [802.1] 00 10 4b 66 27 18 > [Pptp0] LCP: SendConfigAck #1 > MAGICNUM 5fbf582c > PROTOCOMP > ACFCOMP > ENDPOINTDISC [802.1] 00 10 4b 66 27 18 > [Pptp0] LCP: state change Req-Sent --> Ack-Sent > pptp0-0: ignoring SetLinkInfo > [Pptp0] LCP: SendConfigReq #2 > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM 14eff6b3 > AUTHPROTO CHAP MSOFT > pptp0-0: ignoring SetLinkInfo > [Pptp0] LCP: rec'd Configure Ack #2 link 0 (Ack-Sent) > ACFCOMP > PROTOCOMP > MRU 1500 > MAGICNUM 14eff6b3 > AUTHPROTO CHAP MSOFT > [Pptp0] LCP: state change Ack-Sent --> Opened > [Pptp0] LCP: phase shift ESTABLISH --> AUTHENTICATE > [Pptp0] LCP: auth: peer wants nothing, I want CHAP > [Pptp0] CHAP: sending CHALLENGE > [Pptp0] LCP: LayerUp > [Pptp0] LCP: rec'd Ident #2 link 0 (Opened) > MESG: MSRASV5.00 > [Pptp0] LCP: rec'd Ident #3 link 0 (Opened) > MESG: MSRAS-0-DVMONSTER > [Pptp0] CHAP: rec'd RESPONSE #1 > Name: "test" > Peer name: "test" > Response is valid > [Pptp0] CHAP: sending SUCCESS > [Pptp0] LCP: authorization successful > [Pptp0] LCP: phase shift AUTHENTICATE --> NETWORK > [Pptp0] up: 1 link, total bandwidth 64000 bps > [Pptp0] IPCP: Up event > [Pptp0] IPCP: state change Starting --> Req-Sent > [Pptp0] IPCP: SendConfigReq #1 > IPADDR 192.168.1.100 > COMPPROTO VJCOMP, 16 comp. channels, no comp-cid > [Pptp0] CCP: Open event > [Pptp0] CCP: state change Initial --> Starting > [Pptp0] CCP: LayerStart > [Pptp0] CCP: Up event > [Pptp0] CCP: state change Starting --> Req-Sent > [Pptp0] CCP: SendConfigReq #1 > MPPC > 0x01000060: MPPE, 40 bit, 128 bit, stateless > [Pptp0] CCP: rec'd Configure Request #4 link 0 (Req-Sent) > MPPC > 0x010000f1: MPPC MPPE, 40 bit, 128 bit, stateless > Bits 0x00000090 not supported > [Pptp0] CCP: SendConfigNak #4 > MPPC > 0x01000040: MPPE, 128 bit, stateless > [Pptp0] IPCP: rec'd Configure Request #5 link 0 (Req-Sent) > IPADDR 0.0.0.0 > NAKing with 63.238.170.52 > PRIDNS 0.0.0.0 > NAKing with 192.168.1.1 > PRINBNS 0.0.0.0 > NAKing with 192.168.1.4 > SECDNS 0.0.0.0 > SECNBNS 0.0.0.0 > [Pptp0] IPCP: SendConfigRej #5 > SECDNS 0.0.0.0 > SECNBNS 0.0.0.0 > [Pptp0] IPCP: rec'd Configure Reject #1 link 0 (Req-Sent) > COMPPROTO VJCOMP, 16 comp. channels, no comp-cid > [Pptp0] IPCP: SendConfigReq #2 > IPADDR 192.168.1.100 > [Pptp0] CCP: rec'd Configure Nak #1 link 0 (Req-Sent) > MPPC > 0x01000040: MPPE, 128 bit, stateless > [Pptp0] CCP: SendConfigReq #2 > MPPC > 0x01000040: MPPE, 128 bit, stateless > [Pptp0] CCP: rec'd Configure Request #6 link 0 (Req-Sent) > MPPC > 0x01000040: MPPE, 128 bit, stateless > [Pptp0] CCP: SendConfigAck #6 > MPPC > 0x01000040: MPPE, 128 bit, stateless > [Pptp0] CCP: state change Req-Sent --> Ack-Sent > [Pptp0] IPCP: rec'd Configure Request #7 link 0 (Req-Sent) > IPADDR 0.0.0.0 > NAKing with 63.238.170.52 > PRIDNS 0.0.0.0 > NAKing with 192.168.1.1 > PRINBNS 0.0.0.0 > NAKing with 192.168.1.4 > [Pptp0] IPCP: SendConfigNak #7 > IPADDR 63.238.170.52 > PRIDNS 192.168.1.1 > PRINBNS 192.168.1.4 > [Pptp0] IPCP: rec'd Configure Ack #2 link 0 (Req-Sent) > IPADDR 192.168.1.100 > [Pptp0] IPCP: state change Req-Sent --> Ack-Rcvd > [Pptp0] CCP: rec'd Configure Ack #2 link 0 (Ack-Sent) > MPPC > 0x01000040: MPPE, 128 bit, stateless > [Pptp0] CCP: state change Ack-Sent --> Opened > [Pptp0] CCP: LayerUp > Compress using: MPPE, 128 bit, stateless > Decompress using: MPPE, 128 bit, stateless > [Pptp0] IPCP: rec'd Configure Request #8 link 0 (Ack-Rcvd) > IPADDR 63.238.170.52 > 63.238.170.52 is OK > PRIDNS 192.168.1.1 > PRINBNS 192.168.1.4 > [Pptp0] IPCP: SendConfigAck #8 > IPADDR 63.238.170.52 > PRIDNS 192.168.1.1 > PRINBNS 192.168.1.4 > [Pptp0] IPCP: state change Ack-Rcvd --> Opened > [Pptp0] IPCP: LayerUp > 192.168.1.100 -> 63.238.170.52 > [Pptp0] IFACE: Up event > [Pptp0] exec: /sbin/ifconfig ng0 192.168.1.100 63.238.170.52 netmask > 0xffffffff -link0 > [Pptp0] no interface to proxy arp on for 63.238.170.52 > [Pptp0] IFACE: Up event > > > mpd.conf > > default: > load default-log > load client > > > client: > load Pptp0 > > > Pptp0: > > new -i ng0 Pptp0 Pptp0 > set iface disable on-demand > set iface enable proxy-arp > set iface idle 1800 > set bundle disable multilink > set bundle authname test > set link yes acfcomp protocomp > set link no pap chap > set link enable chap > set link keep-alive 10 60 > set ipcp yes vjcomp > set ipcp ranges 192.168.1.100/32 192.168.1.102/32 > set ipcp dns 192.168.1.1 > set ipcp nbns 192.168.1.4 > set bundle enable compression > set ccp yes mppc > set ccp yes mpp-e40 > set ccp yes mpp-e128 > set ccp yes mpp-stateless > > > > > default-log: > log +bund +link +chat +lcp +auth +fsm +phys +ipcp +ccp +pptp > > mpd.links > > Pptp0: > set link type pptp > set pptp self x.x.x.5 > set pptp enable incoming > set pptp disable originate > set link enable chap > set link disable pap > set link enable acfcomp protocomp > set link keep-alive 10 75 > set link enable no-orig-auth > > ipf.rules > > ################################################################# > # Outside Interface > ################################################################# > > #---------------------------------------------------------------- > # Allow out all TCP, UDP, and ICMP traffic & keep state on it > # so that it's allowed back in. > #---------------------------------------------------------------- > pass out quick on xl0 proto tcp from any to any keep state > pass out quick on xl0 proto udp from any to any keep state > pass out quick on xl0 proto icmp from any to any keep state > pass out quick on xl0 proto gre from any to any > block out quick on xl0 all > > #---------------------------------------------------------------- > # Allow bootp traffic in from your ISP's DHCP server only. > # Replace X.X.X.X/32 with your ISP's DHCP server address. > #---------------------------------------------------------------- > #pass in quick on ed0 proto udp from X.X.X.X/32 to any port =3D 68 = keep > state > pass in quick on xl0 proto tcp from any to 192.168.1.4 port =3D 25 = keep > state > pass in quick proto tcp from any to any port =3D 22 keep state keep frags > pass in quick proto tcp from any to any port =3D 47 keep state keep frags > pass in quick proto tcp from any to any port =3D 1723 keep state keep > frags > #---------------------------------------------------------------- > # Block and log all remaining traffic coming into the firewall > # - Block TCP with a RST (to make it appear as if the service > # isn't listening) > # - Block UDP with an ICMP Port Unreachable (to make it appear > # as if the service isn't listening) > # - Block all remaining traffic the good 'ol fashioned way > #---------------------------------------------------------------- > block return-rst in log quick on xl0 proto tcp from any to any > block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from > any to any > block in log quick on xl0 all > > ################################################################# > # Inside Interface > ################################################################# > > #---------------------------------------------------------------- > # Allow out all TCP, UDP, and ICMP traffic & keep state > #---------------------------------------------------------------- > pass out quick on xl1 proto tcp from any to any keep state > pass out quick on xl1 proto udp from any to any keep state > pass out quick on xl1 proto icmp from any to any keep state > block out quick on xl1 all > > > #---------------------------------------------------------------- > # Allow out all TCP, UDP, and ICMP traffic & keep state > #---------------------------------------------------------------- > pass out quick on xl2 proto tcp from any to any keep state > pass out quick on xl2 proto udp from any to any keep state > pass out quick on xl2 proto icmp from any to any keep state > block out quick on xl2 all > > > #---------------------------------------------------------------- > # Allow in all TCP, UDP, and ICMP traffic & keep state > #---------------------------------------------------------------- > pass in quick on xl1 proto tcp from any to any keep state > pass in quick on xl1 proto udp from any to any keep state > pass in quick on xl1 proto icmp from any to any keep state > block in quick on xl1 all > > > #---------------------------------------------------------------- > # Allow in all TCP, UDP, and ICMP traffic & keep state > #---------------------------------------------------------------- > pass in quick on xl2 proto tcp from any to any keep state > pass in quick on xl2 proto udp from any to any keep state > pass in quick on xl2 proto icmp from any to any keep state > block in quick on xl2 all > > ipnat.rules > > map xl0 192.168.1.0/24 -> x.x.x.5/32 proxy port 21 ftp/tcp > map xl0 192.168.1.0/24 -> x.x.x.5/32 proxy port 1501 ftp/tcp > map xl0 192.168.2.0/24 -> x.x.x.5/32 proxy port 21 ftp/tcp > map xl0 192.168.1.0/24 -> x.x.x.5/32 portmap tcp/udp 40000:60000 > map xl0 192.168.2.0/24 -> x.x.x.5/32 portmap tcp/udp 40000:60000 > rdr xl0 0.0.0.0/0 port 25 -> 192.168.1.4 port 25 tcp > map xl0 192.168.1.0/24 -> x.x.x.5/32 > map xl0 192.168.2.0/24 -> x.x.x.5/32 > > John Lord(jlord@4jon.com) > Network Administrator > Studio for Publications Inc > 410-723-7089 Office > pageme@4jon.com Pager > www.4jon.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9EB046F82A95DD4DAB74BF7FF4E48BA97790>