Hello!
Guido van Rooij wrote:
On Thu, Jan 27, 2005 at 11:07:00AM +0200, Toomas Aas wrote:
Guido van Rooij wrote:
There is a pptp proxy...
Yes, but I am not dealing with PPTP server behind my firewall. In my case the PPTP server (MPD) is running on firewall machine itself. I don't think that the PPTP proxy is relevant in this case.
Have you verfied that statement?
I think "verify" is too strong a word to describe the mucking-around that I did. However, I did try the best I could and so far there's no success. It is entirely possible, of course, that I'm doing it all totally wrong.
So what did I do?
First I installed ipfilter 4.1.5 on my FreeBSD 4.10-RELEASE-p5 box. That went well. So far I had been using version 3.4.31 which comes with FreeBSD 4.10, but that version of ipfilter doesn't have the PPTP proxy.
Then I re-configured my PPTP server (MPD 3.18) to use 127.0.0.1 as it's 'external interface' (so far I had been using my public IP, 194.126.106.106).
Then I added this rule to ipnat: rdr dc0 194.126.106.106/32 port 1723 -> 127.0.0.1 port 1723 proxy pptp
My relevant ipfilter rule looked like this:
pass in log first quick on dc0 proto tcp \
from any to 127.0.0.1/32 port = 1723 \
flags S keep stateAnd then I tried to connect from Windows XP box to my PPTP server. Using ipnat -l I could see that pptp proxy connection was actually created and PPTP log on the server indicated that connection negotiation was going on. On XP side, the status window displayed "Verifying user name and password..."
However, the connection was never negotiated successfully. In fact, if I let the negotiation process time out, the FreeBSD box rebooted (I tried this multiple times). I couldn't actually look at the screen to see if any panic messages were displayed, but there's nothing in system logs. If I cancel the connection negotiation on XP before it times out, the FreeBSD box does not reboot.
At the time the connection negotiation was going on, I saw some packets being blocked by ipfilter:
16:54:51.580553 dc0 @0:12 p 194.126.106.110,2640
-> 127.0.0.1,1723 PR tcp len 20 48 -S K-S IN NAT
Jan 27 16:54:51 wifi ipmon[56]: 16:54:51.604241 dc0 @0:8 b 127.0.0.1
-> 194.126.106.110 PR gre len 20 (74) OUT(194.126.106.110 is the address from where I was trying to connect)
I thought that the entire idea of proxy was that I don't need to add extra rules for this gre traffic. But this doesn't seem to be the case here.
So, just for testing, I added a rule to pass out gre traffic from 127.0.0.1 to any and tried again, only to discover that now I was blocking incoming gre traffic from any to 127.0.0.1 and from any to 194.126.106.106. But even passing all this didn't make things work.
Finally, I went back to my original setup, with MPD listening on my external interface, no pptp proxy in ipnat rules, and ipfilter rules like this:
pass in log first quick on dc0 proto tcp from any \
to 194.126.106.106/32 port = 1723 flags S keep state
pass in log quick on dc0 proto gre from any to 194.126.106.106/32
pass out log quick on dc0 proto gre from 194.126.106.106/32 to anyPPTP connections are working successfully again (as they were before I started testing).
-- Toomas Aas -------------------------------------------------------- |arvutiv�rgu peaspetsialist | head specialist on computer networks| |Tartu Linnakantselei | Tartu City Office | ----------------------------------------------------- +372 736 1274
