[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problem with inbound PPTP to internal server



Guys,

I've bent my head around this off and on for a week and can't seem to uncover what's going wrong. I'm hoping someone here on the list can clue me in. Maybe I'm just making a stupid mistake.

Here's the scenario -

OpenBSD 3.3-RELEASE / alpha - Originally I installed a snapshot from about April 22nd, but I've subsequently "upgraded" it back to 3.3-RELEASE.

# uname -a
OpenBSD fw.mycompany.com 3.3 GENERIC#24 alpha

We're trying to allow inbound PPTP to our MS PPTP server. I guess that's about it. I have a binat set up for our internal server and I'm <mostly> sure the rules are correct. When I do tcpdumps on the external and internal interfaces, I see the tcp/1723 packets breeze merrily across the firewall. However, the GRE packets, which seem to come as best as I can tell, out-of-order, appear to be intercepted and only flushed to the internal server in-order. And at that, there are substantially fewer of them. pflog0 logs all blocks and doesn't report any packets during the session.

I am certainly not a networking whiz so I'm not real clear on what the GRE information really means, but below is the included packet traces. I have removed the scrub directives and that didn't help. I also set up RDR's instead of a BINAT but that also yielded no results.

If anyone can lend some insight into this I would be most grateful.

Thanks, and thanks to Daniel for writing such a fantastic firewall.
Andrew

-------------------------------------------

First, here's the ruleset:

###########################################################################
#
# This is the file for variables, macros, queues and basic # firewalling options.
#
###########################################################################
#
# Interface Variables
#
EXT_IF = "de0"
INT_IF = "xl0"
DMZ_IF = "xl1"


###########################################################################
#
#  Host Variables and Macros
#
PPTP_SERVER_INT = "192.168.10.205"
PPTP_SERVER_EXT = "9.9.9.131"
G_PPTP_SERVER_INT = "10.10.10.100"
G_PPTP_SERVER_EXT = "9.9.9.146"

###########################################################################
#
#  Tables: Host Variables and Macros
#
P2P_PORTS = "{ 1214, 54321 }"
G_PORTS_TCP = "{ 21, 22, 53, 80, 81, 110, 389, 443, 1720, 5190, 6667 }"
G_PORTS_UDP = "{ 53 }"

###########################################################################
#
#  Table macros for networks
#
table <bad_external_nets> const { 0/32, 255.255.255.255/32, 10/8, \
	!10.10.10/24, 172.16/12, 192.168/16, !192.168.10/24, 127/8 }
table <internal-us_internal> const { 192.168.10.0/24 }
table <gamers_internal> const { 10.10.10.0/24 }

###########################################################################
#
#  Other misc stuff
#
set loginterface $EXT_IF
#scrub out on $EXT_IF random-id
#scrub in all

###########################################################################
#
#  Queues
#
altq on $EXT_IF cbq bandwidth 512Kb queue p2p
queue p2p bandwidth 100% cbq(default)

###########################################################################
#
#  Translations
#
rdr on { $INT_IF, $DMZ_IF } proto tcp from { <internal-us_internal>, \
	<gamers_internal> } to any port 21 -> 127.0.0.1 port 8021
binat on $EXT_IF from $PPTP_SERVER_INT to any -> $PPTP_SERVER_EXT
binat on $EXT_IF from $G_PPTP_SERVER_INT to any -> $G_PPTP_SERVER_EXT
nat on $EXT_IF from { <internal-us_internal>, <gamers_internal> } to any -> \
	9.9.9.130

###########################################################################
#
#  Block all traffic we don't wish to explicitly allow
#
block in log on $EXT_IF all
block in log quick on $EXT_IF from <bad_external_nets> to any
block in log on $EXT_IF from any to <bad_external_nets>
block in log quick on $DMZ_IF from any to <internal-us_internal>
block in log quick on $INT_IF from any to <gamers_internal>


########################################################################### # # Pass in PPTP to the Internal and Gamer Guy's VPN servers # pass in quick on $EXT_IF proto gre from any to { $PPTP_SERVER_INT/32, \ $G_PPTP_SERVER_INT/32 } allow-opts keep state pass in quick on $EXT_IF proto tcp from any to { $PPTP_SERVER_INT/32, \ $G_PPTP_SERVER_INT/32 } port 1723 allow-opts keep state

###########################################################################
#
#  Pass in all the other crap to the Gamer Guy's VPN server
#
pass in quick on $EXT_IF proto tcp from any to $G_PPTP_SERVER_INT/32 \
	port $G_PORTS_TCP flags S/SA keep state
pass in quick on $EXT_IF proto udp from any to $G_PPTP_SERVER_INT/32 \
	port $G_PORTS_UDP keep state
pass in quick on $EXT_IF proto icmp from any to $G_PPTP_SERVER_INT/32 \
	keep state

###########################################################################
#
#  Allow but *QUEUE* peer-to-peer (Kazaa, et al) traffic
#
pass out quick on $EXT_IF proto tcp from { <internal-us_internal>, \
	<gamers_internal> } port $P2P_PORTS to any flags S/SA \
	keep state queue p2p

###########################################################################
#
#  We must explicitly allow FTP return traffic as our FTP Proxy isn't
#    yet the greatest thing on the planet.
#
pass in quick on $EXT_IF proto tcp from any port 20 to $EXT_IF flags S/SA \
	user proxy keep state

###########################################################################
#
#  Allow and keep state on all traffic going outbound
#
pass out quick on $EXT_IF proto { tcp, udp, icmp, gre } from \
	{ <internal-us_internal>, <gamers_internal> } to any keep state

pass out quick on { $INT_IF, $DMZ_IF, $EXT_IF } proto { tcp, udp, icmp, gre } \
	to any keep state

---------------------------------------

And now the packet trace from the EXTERNAL firewall interface:
# tcpdump -qtni de0 ip proto gre or tcp port 1723
tcpdump: listening on de0
12.12.12.12.32237 > 9.9.9.131.1723: tcp 0 (DF)
9.9.9.131.1723 > 12.12.12.12.32237: tcp 0 (DF)
12.12.12.12.32237 > 9.9.9.131.1723: tcp 12 (DF)
9.9.9.131.1723 > 12.12.12.12.32237: tcp 12 (DF)
12.12.12.12.32237 > 9.9.9.131.1723: tcp 168 (DF)
9.9.9.131.1723 > 12.12.12.12.32237: tcp 32 (DF)
12.12.12.12.32237 > 9.9.9.131.1723: tcp 24 (DF)
call 50151 seq 0 gre-ppp-payload (gre encap)
call 0 seq 0 ack 0 gre-ppp-payload (gre encap)
call 0 seq 1 gre-ppp-payload (gre encap)
9.9.9.131.1723 > 12.12.12.12.32237: tcp 0 (DF)
call 50151 seq 1 gre-ppp-payload (gre encap)
call 0 seq 2 gre-ppp-payload (gre encap)
call 50151 seq 2 gre-ppp-payload (gre encap)
call 0 seq 3 gre-ppp-payload (gre encap)
call 50151 seq 3 gre-ppp-payload (gre encap)
call 0 seq 4 gre-ppp-payload (gre encap)
call 50151 seq 4 gre-ppp-payload (gre encap)
call 0 seq 5 gre-ppp-payload (gre encap)
call 50151 seq 5 gre-ppp-payload (gre encap)
call 0 seq 6 gre-ppp-payload (gre encap)
call 50151 seq 6 gre-ppp-payload (gre encap)
call 0 seq 7 gre-ppp-payload (gre encap)
call 50151 seq 7 gre-ppp-payload (gre encap)
call 0 seq 8 gre-ppp-payload (gre encap)
call 50151 seq 8 gre-ppp-payload (gre encap)
call 0 seq 9 gre-ppp-payload (gre encap)
call 50151 seq 9 gre-ppp-payload (gre encap)
call 0 seq 10 gre-ppp-payload (gre encap)
12.12.12.12.32237 > 9.9.9.131.1723: tcp 16 (DF)
9.9.9.131.1723 > 12.12.12.12.32237: tcp 148 (DF)
12.12.12.12.32237 > 9.9.9.131.1723: tcp 16 (DF)
9.9.9.131.1723 > 12.12.12.12.32237: tcp 16 (DF)
12.12.12.12.32237 > 9.9.9.131.1723: tcp 0 (DF)
9.9.9.131.1723 > 12.12.12.12.32237: tcp 0 (DF)
12.12.12.12.32237 > 9.9.9.131.1723: tcp 0 (DF)


And the packet capture from the Internal interface:


# tcpdump -qtni xl0 ip proto gre or tcp port 1723
tcpdump: listening on xl0
12.12.12.12.43991 > 192.168.10.205.1723: tcp 0 (DF)
192.168.10.205.1723 > 12.12.12.12.43991: tcp 0 (DF)
12.12.12.12.43991 > 192.168.10.205.1723: tcp 12 (DF)
192.168.10.205.1723 > 12.12.12.12.43991: tcp 12 (DF)
12.12.12.12.43991 > 192.168.10.205.1723: tcp 168 (DF)
192.168.10.205.1723 > 12.12.12.12.43991: tcp 32 (DF)
12.12.12.12.43991 > 192.168.10.205.1723: tcp 24 (DF)
call 999 seq 0 gre-ppp-payload (gre encap)
call 16384 seq 0 ack 0 gre-ppp-payload (gre encap)
call 16384 seq 1 gre-ppp-payload (gre encap)
192.168.10.205.1723 > 12.12.12.12.43991: tcp 0 (DF)
call 16384 seq 2 gre-ppp-payload (gre encap)
call 16384 seq 3 gre-ppp-payload (gre encap)
call 16384 seq 4 gre-ppp-payload (gre encap)
call 16384 seq 5 gre-ppp-payload (gre encap)
call 16384 seq 6 gre-ppp-payload (gre encap)
call 16384 seq 7 gre-ppp-payload (gre encap)
call 16384 seq 8 gre-ppp-payload (gre encap)
call 16384 seq 9 gre-ppp-payload (gre encap)
call 16384 seq 10 gre-ppp-payload (gre encap)
12.12.12.12.43991 > 192.168.10.205.1723: tcp 16 (DF)
192.168.10.205.1723 > 12.12.12.12.43991: tcp 16 (DF)
192.168.10.205.1723 > 12.12.12.12.43991: tcp 148 (DF)
12.12.12.12.43991 > 192.168.10.205.1723: tcp 148 (DF)
12.12.12.12.43991 > 192.168.10.205.1723: tcp 16 (DF)
192.168.10.205.1723 > 12.12.12.12.43991: tcp 16 (DF)
12.12.12.12.43991 > 192.168.10.205.1723: tcp 0 (DF)
192.168.10.205.1723 > 12.12.12.12.43991: tcp 0 (DF)
12.12.12.12.43991 > 192.168.10.205.1723: tcp 0 (DF)