On Wed, Jan 26, 2005 at 09:23:36PM +0200, Toomas Aas wrote: > Hello! > > I've installed a PPTP server on my FreeBSD 4.10 firewall which also has > ipfilter 3.4.31. The idea is to allow people with Micros~1 PPTP VPN > client to connect from anywhere on the Internet and access W2k server > behind the firewall. So I added the following IPFilter rules: > > pass in quick on dc0 proto gre from any to 194.126.106.106/32 > pass out quick on dc0 proto gre from 194.126.106.106/32 to any > pass in log first quick on dc0 proto tcp \ > from any to 194.126.106.106/32 port = 1723 flags S keep state > > Everything seems to work correctly. But is there a way to make this > ruleset more restrictive? Do I have to allow both gre and tcp/1723 from > 'any'? Can I use 'keep state' with gre?
There is a pptp proxy... See http://msgs.securepoint.com/cgi-bin/get/ipfilter-0405/15.html and http://msgs.securepoint.com/cgi-bin/get/ipfilter-0405/16.html -Guido
