Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Feb 2000 14:32:53 -0500
From:      "Chad K. Bisk" <ckbisk@bigfoot.com>
To:        <freebsd-ipfw@FreeBSD.ORG>
Subject:   Re: ipfw and the GRE protocol
Message-ID:  <002701bf8090$4934b460$43110d0a@chade>
References:  <000101bf7e5d$b78b6f10$0c00a8c0@pulsar.rreedy.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
It works!  Thanks.  Although I had to change my rc.conf entry to

natd_flags="-redirect_port tcp 10.13.17.73:pptp pptp -pptpalias 10.13.17.73"

for some reason (3.4 release) or natd would stop working.  I look forward to
Erik Salander's more general libalias solution.

Since this problem was so easy for you all, here's a more interesting
(though less troublesome) one:

How does rule 65535 ever get packets?

freebsd# ipfw list
00100 divert 8668 ip from any to any via ed1
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 10.0.0.0/8 to any in recv ed1
00400 deny ip from 111.222.33.0/24 to any in recv fxp0
00500 deny ip from 192.168.0.0/16 to any via ed1
00600 deny ip from any to 192.168.0.0/16 via ed1
00700 deny ip from 172.16.0.0/12 to any via ed1
00800 deny ip from any to 172.16.0.0/12 via ed1
00900 allow tcp from any to any established
01000 allow tcp from any to 111.222.33.44 25 setup
01100 allow tcp from any to 111.222.33.44 53 setup
01200 allow tcp from any to 111.222.33.44 80 setup
01300 allow tcp from any to any setup
01400 allow udp from any 53 to 111.222.33.44
01500 allow udp from 111.222.33.44 to any 53
01600 allow udp from any 123 to 111.222.33.44
01700 allow udp from 111.222.33.44 to any 123
65000 allow ip from any to any
65535 deny ip from any to any
freebsd# ipfw show
00100 538708 242885311 divert 8668 ip from any to any via ed1
00100     12       832 allow ip from any to any via lo0
00200      0         0 deny ip from any to 127.0.0.0/8
00300    912    110044 deny ip from 10.0.0.0/8 to any in recv ed1
00400      0         0 deny ip from 111.222.33.0/24 to any in recv fxp0
00500      0         0 deny ip from 192.168.0.0/16 to any via ed1
00600      0         0 deny ip from any to 192.168.0.0/16 via ed1
00700      0         0 deny ip from 172.16.0.0/12 to any via ed1
00800      0         0 deny ip from any to 172.16.0.0/12 via ed1
00900 935726 468654385 allow tcp from any to any established
01000     18       792 allow tcp from any to 111.222.33.44 25 setup
01100      2        80 allow tcp from any to 111.222.33.44 53 setup
01200      3       124 allow tcp from any to 111.222.33.44 80 setup
01300  23818   1088084 allow tcp from any to any setup
01400    204     43821 allow udp from any 53 to 111.222.33.44
01500   3190    197690 allow udp from 111.222.33.44 to any 53
01600   3113    236588 allow udp from any 123 to 111.222.33.44
01700   3153    239628 allow udp from 111.222.33.44 to any 123
65000  66466   9761689 allow ip from any to any
65535      4       463 deny ip from any to any

It gets 2 during startup and 2 later fairly consistently.

-- Chad

----- Original Message -----
From: "Ryan Reedy" <rreedy@home.com>
To: "'Chad K. Bisk'" <ckbisk@bigfoot.com>; <freebsd-ipfw@FreeBSD.ORG>
Sent: Wednesday, February 23, 2000 7:25 PM
Subject: RE: ipfw and the GRE protocol


> I have successfully setup up a pptp server behind ipfw/natd by
> doing the following (on 3.2)
>
> For NATD: use the -pptpalias a.b.c.d -redirect_port a.b.c.d:1723 1723
> (this will only work for one machine on the internal network as far
> as I can tell)
>
> For IPFW:
> $fwcmd add pass tcp from any to a.b.c.d 1723 setup
> $fwcmd add pass tcp from any to any established
> $fwcmd add pass gre from any to any
>
> a.b.c.d is the internal ip address (and the divert rule is at the
> top of the list).  gre is protocol 47, I think someone was missing
> this in the protocols file earlier.  I've never tried to set this
> up on any other version which may be causing other issues.  Also,
> sometimes the client has to dial, get refused and then dial again
> to get connected, but I haven't taken the time to see if this is a
> NT or firewall issue.
> Hope this helps!
>
> -Ryan
>
> > Andre Chang writes:
> > > Was there any resolution to this issue? I was following the thread and
> setup
> > > a similar test enviroment using ipfw/natd using rules:
> > >
> > > $fwcmd add pass tcp from any to 192.168.10.10 1723 via fxp0
> > > $fwcmd add pass log gre from any to any
> >
> > PPTP does not pass cleanly through address translation without
> > specific support -- it's very analogous to the way active mode FTP
> > works.
> >
> > Erik Salander is actually working on adding this support to libalias
> > right now at Whistle but it won't be finished for a while.
> >
> > -Archie
>
> I thought that was what natd -pptpalias a.b.c.d was for.  Although truth
be
> told I've never been able to get a PPTP client to connect through natd to
a
> PPTP server behind ipfw.
>
> -- Chad
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?002701bf8090$4934b460$43110d0a>