From owner-freebsd-ipfw Sat Feb 26 11:33:16 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from njexch01.etci.com (gw.etci.com [207.103.201.130]) by hub.freebsd.org (Postfix) with ESMTP id 75BCC37B507 for ; Sat, 26 Feb 2000 11:33:07 -0800 (PST) (envelope-from ckbisk@bigfoot.com) Received: from chade (ip74.laurel4.md.pub-ip.psi.net [38.30.238.74]) by njexch01.etci.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id FTD76Y7K; Sat, 26 Feb 2000 14:33:21 -0500 Message-ID: <002701bf8090$4934b460$43110d0a@chade> From: "Chad K. Bisk" To: References: <000101bf7e5d$b78b6f10$0c00a8c0@pulsar.rreedy.com> Subject: Re: ipfw and the GRE protocol Date: Sat, 26 Feb 2000 14:32:53 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG It works! Thanks. Although I had to change my rc.conf entry to natd_flags="-redirect_port tcp 10.13.17.73:pptp pptp -pptpalias 10.13.17.73" for some reason (3.4 release) or natd would stop working. I look forward to Erik Salander's more general libalias solution. Since this problem was so easy for you all, here's a more interesting (though less troublesome) one: How does rule 65535 ever get packets? freebsd# ipfw list 00100 divert 8668 ip from any to any via ed1 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 10.0.0.0/8 to any in recv ed1 00400 deny ip from 111.222.33.0/24 to any in recv fxp0 00500 deny ip from 192.168.0.0/16 to any via ed1 00600 deny ip from any to 192.168.0.0/16 via ed1 00700 deny ip from 172.16.0.0/12 to any via ed1 00800 deny ip from any to 172.16.0.0/12 via ed1 00900 allow tcp from any to any established 01000 allow tcp from any to 111.222.33.44 25 setup 01100 allow tcp from any to 111.222.33.44 53 setup 01200 allow tcp from any to 111.222.33.44 80 setup 01300 allow tcp from any to any setup 01400 allow udp from any 53 to 111.222.33.44 01500 allow udp from 111.222.33.44 to any 53 01600 allow udp from any 123 to 111.222.33.44 01700 allow udp from 111.222.33.44 to any 123 65000 allow ip from any to any 65535 deny ip from any to any freebsd# ipfw show 00100 538708 242885311 divert 8668 ip from any to any via ed1 00100 12 832 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 912 110044 deny ip from 10.0.0.0/8 to any in recv ed1 00400 0 0 deny ip from 111.222.33.0/24 to any in recv fxp0 00500 0 0 deny ip from 192.168.0.0/16 to any via ed1 00600 0 0 deny ip from any to 192.168.0.0/16 via ed1 00700 0 0 deny ip from 172.16.0.0/12 to any via ed1 00800 0 0 deny ip from any to 172.16.0.0/12 via ed1 00900 935726 468654385 allow tcp from any to any established 01000 18 792 allow tcp from any to 111.222.33.44 25 setup 01100 2 80 allow tcp from any to 111.222.33.44 53 setup 01200 3 124 allow tcp from any to 111.222.33.44 80 setup 01300 23818 1088084 allow tcp from any to any setup 01400 204 43821 allow udp from any 53 to 111.222.33.44 01500 3190 197690 allow udp from 111.222.33.44 to any 53 01600 3113 236588 allow udp from any 123 to 111.222.33.44 01700 3153 239628 allow udp from 111.222.33.44 to any 123 65000 66466 9761689 allow ip from any to any 65535 4 463 deny ip from any to any It gets 2 during startup and 2 later fairly consistently. -- Chad ----- Original Message ----- From: "Ryan Reedy" To: "'Chad K. Bisk'" ; Sent: Wednesday, February 23, 2000 7:25 PM Subject: RE: ipfw and the GRE protocol > I have successfully setup up a pptp server behind ipfw/natd by > doing the following (on 3.2) > > For NATD: use the -pptpalias a.b.c.d -redirect_port a.b.c.d:1723 1723 > (this will only work for one machine on the internal network as far > as I can tell) > > For IPFW: > $fwcmd add pass tcp from any to a.b.c.d 1723 setup > $fwcmd add pass tcp from any to any established > $fwcmd add pass gre from any to any > > a.b.c.d is the internal ip address (and the divert rule is at the > top of the list). gre is protocol 47, I think someone was missing > this in the protocols file earlier. I've never tried to set this > up on any other version which may be causing other issues. Also, > sometimes the client has to dial, get refused and then dial again > to get connected, but I haven't taken the time to see if this is a > NT or firewall issue. > Hope this helps! > > -Ryan > > > Andre Chang writes: > > > Was there any resolution to this issue? I was following the thread and > setup > > > a similar test enviroment using ipfw/natd using rules: > > > > > > $fwcmd add pass tcp from any to 192.168.10.10 1723 via fxp0 > > > $fwcmd add pass log gre from any to any > > > > PPTP does not pass cleanly through address translation without > > specific support -- it's very analogous to the way active mode FTP > > works. > > > > Erik Salander is actually working on adding this support to libalias > > right now at Whistle but it won't be finished for a while. > > > > -Archie > > I thought that was what natd -pptpalias a.b.c.d was for. Although truth be > told I've never been able to get a PPTP client to connect through natd to a > PPTP server behind ipfw. > > -- Chad > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message