Hate replying to my own post but anyone have any ideas on this. This for pptp
pass thru not for a openbsd pptp server. Has anyone got this working with 4.7
or 4.8 ?
-----Original message-----
To:[email protected];
From:Peter Merritt
<[email protected]>
Sent:Tue 19-10-2010 16:00
Subject:Can't get pptp
vpn working.
I just can not pass gre through a openbsd firewall, this was
working fine with
4.6 a previous. 4.7 would pass traffic irratically with
this C7 motherboard,
so I upgraded to 4.8 beta, and other that this problem
it has been working
well. what follow is my pf.conf and other information,
would like some insight
to this. Also since 4.7 on logging does not work like
it used to when using
tcpdump, for instance you will see that the box is
passing rdp traffic, but it
never logs it hitting the rule passing and rdr
rdp traffic. I think I am
missing somthing, or the packets are changed by the
time it hits the rule so
the rule is not triggered, any explantions would be
greatly appreciated.
Peter
# uname -a
OpenBSD
Firewall.southwest-airmotive.com 4.8 GENERIC#126 i386
We have 2
ip's
cat /etc/hostname.re0
inet 98.191.121.43 255.255.255.240 NONE
alias
98.191.121.44 255.255.255.255
# cat /etc/hostname.re1
inet 192.168.0.254
255.255.255.0 NONE
group ingress
# sysctl -a | grep gre
net.inet.gre.allow=0 # I have also tried these setting on
net.inet.gre.wccp=0
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0
net.inet6.ip6.forwarding=1
net.inet6.ip6.mforwarding=0
stripped down
pf.conf, with some experimentation also tried quick with this same results
Ips and hostnames obfuscated. This box sits in front of sbs server.
#Macros ##
## Interfaces ##
ext_if = "re0"
int_if =
"re1"
## Global Variables ##
ext_ip = "x.x.x.44"
int_net
= $int_if:network
gateway = "192.168.0.254/32"
server =
"192.168.0.1/32"
mailgate = "x.x.x.44"
fake_mx = "x.x.x.43"
d_pc = "192.168.0.31"
ftp_port =
"8021"
server_ports = "{
https,imaps,4125,4343 }" # pwm removed pptp 10/17
smtp = "{ 25 }"
ssh_ports = "{ ssh }"
rdp = "{
3389 }"
antiscanport =
"{23:79, 6000:8000}"
icmp_types = "{
echoreq, unreach }"
netbios
= "{ epmap, netbios-ns, netbios-dgm,
netbios-ssn, microsoft-ds }"
trojan
= "{
3127,31791,6667,7000,8111,49400,54320,61439,61440,61441,65301,19,8998 }"
##
Tables ##
table <authorized> const file "/etc/tables/authorized"
table
<blacklist> const file "/etc/tables/blacklist"
table <ad_servers>
persist
table <bogons> persist file "/etc/tables/bogon-bn-nonagg.txt"
#table <sinokorea> persist file "/etc/tables/sinokoreacidr.txt"
#table
<adminservers> const file "/etc/tables/adminservers"
table <bots>
persist
table <authpf_users> persist
table <spamd-white> persist
#
filtering on lo0
set skip on { lo0 enc0, $int_if }
#match out log on
egress from $server to any tag EGRESS nat-to ($ext_if)
static-port
#match out log on egress from $server to
any
tag EGRESS nat-to ($ext_if:0) static-port
#match out log on
egress from
!$server to any tag EGRESS nat-to ($ext_if)
port
1024:65535
#match out log on egress from !$server to
any
tag EGRESS nat-to ($ext_if:0) port 1024:65535
#match out log on
egress
from (self) to any tag EGRESS nat-to ($ext_if)
port
1024:65535
#match out log on egress from (self) to
any
tag EGRESS nat-to ($ext_if:0) port 1024:65535
match out on $ext_if from
192.168.0.0/24 nat-to ($ext_if)
## Packet
normalization ( "scrubbing" )
#match log on $ext_if all scrub (random-id
min-ttl 254 set-tos lowdelay
reassemble tcp max-mss 1460)
### Blocking
spoofed packets: enable "set
state-policy if-bound" above
#antispoof log for
{ lo0 $int_if ($ext_if) }
#block drop in log inet6
#block drop in
log from no-route to
any
#block return in log on $ext_if
from <ad_servers> to any
#block drop
in log on $ext_if from <blacklist> to
any
#block drop in log on $ext_if
from <bogons> to any
#block drop in
log on $ext_if from <sinokorea> to
any
#block drop in log on $ext_if from
<bots> to any
#block drop in log
on $ext_if from any to $ext_if:broadcast
#block in log on $ext_if from
0.0.0.0/32
#block in log on $ext_if
from any to 224.0.0.1
#block
in log on $ext_if from 224/8
#block drop
in log on $ext_if from any to
255.255.255.255
#block drop in log on $ext_if
proto {tcp,udp} from any to
$ext_if port $netbios
# Urpf
#block in
log from urpf-failed label
uRPF
#block out log on $ext_if proto
{ tcp,udp } to
any port $trojan
#block out log on $int_if
proto { tcp,udp }
to any port $trojan
#block out log on
$ext_if proto { tcp,udp }
from any to any port $netbios
# Block rst on
fake mx ip
#block return
in log on $ext_if proto tcp from any
to $fake_mx port
smtp
#block drop in on $ext_if proto {
tcp,udp,icmp } from any to
$fake_mx
## Ftp
anchor "ftp-proxy/*"
## Inbound on ext
# dns
pass
in log on $ext_if
proto udp from $ext_if to
($ext_if) keep state
# Gre
pass in log on $ext_if
proto gre from
$ext_if to ($ext_if) rdr-to $server
pass
in
log on $ext_if inet proto udp from $ext_if
to ($ext_if)
port 1194
# Ssh inbound
pass in log on
$ext_if inet
proto tcp from !($ext_if) to ($ext_if) port ssh
rdr-to lo0
#
Ntp Inbound
pass in log on $ext_if inet
proto tcp from
!($ext_if) to ($ext_if) port ntp \
rdr-to lo0 port ntp
# Inbound https, and imaps to Server
pass in
log on $ext_if
inet proto tcp from !($ext_if) to ($ext_if)
port $server_ports \
rdr-to $server
# PPTP
pass in log
on $ext_if inet
proto tcp from !($ext_if) to ($ext_if) port
pptp rdr-to
$server \
# IPSEC
pass in log on $ext_if
inet proto
tcp from !($ext_if) to ($ext_if) port { 500, 4500 } \
rdr-to
$server
# Inbound Rdp, looked down hard, 4 attempts in 5 mins
pass in log on $ext_if inet proto tcp from
!($ext_if)
to ($ext_if) port 3389 rdr-to $server
# pass in Mail
pass
in log on $ext_if inet proto tcp from
!($ext_if) to
($ext_if) port smtp
# Pass in Magicjack to D's Computer
pass in
log on $ext_if inet proto tcp from
!($ext_if) to ($ext_if)
port smtp rdr-to $d_pc
pass in log on
$ext_if proto udp
pass in
log on $ext_if proto gre
pass log on $int_if
# tcpdump -ettti pflog0
host my.host.org and port ! ssh
tcpdump: listening
on pflog0, link-type
PFLOG
Oct 19 14:18:29.797288 rule 20/(match) pass in on
re0:
my.ip.cox.net.19499 > remote.customersdomain.com.pptp: S
2074584932:2074584932(0) win 64240 <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:19:12.163309 rule 20/(match) pass in on re0: my.ip.cox.net.19573 >
remote.customersdomain.com.pptp: S 132277570:132277570(0) win 64240 <mss
1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:19:55.191611 rule 20/(match)
pass in on re0: my.ip.cox.net.19599 > remote.customersdomain.com.pptp: S
2089194955:2089194955(0) win 64240 <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:20:38.381241 rule 20/(match) pass in on re0: my.ip.cox.net.19610 >
remote.customersdomain.com.pptp: S 904576831:904576831(0) win 64240 <mss
1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:21:12.346349 rule
140/(match) pass in on re0: my.ip.cox.net.19622 >
remote.customersdomain.com.pptp: S 1057217887:1057217887(0) win 64240 <mss
1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:21:12.346377 rule 7/(match)
match in on re0: my.ip.cox.net.19622 > remote.customersdomain.com.pptp: S
1057217887:1057217887(0) win 64240 <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:21:55.205457 rule 140/(match) pass in on re0: my.ip.cox.net.19634 >
remote.customersdomain.com.pptp: S 2338961963:2338961963(0) win 64240 <mss
1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:21:55.205484 rule 7/(match)
match in on re0: my.ip.cox.net.19634 > remote.customersdomain.com.pptp: S
2338961963:2338961963(0) win 64240 <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:21:57.901527 rule 143/(match) pass in on re0: my.ip.cox.net.19635 >
remote.customersdomain.com.3389: S 3113270439:3113270439(0) win 64240 <mss
1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:21:57.901554 rule 7/(match)
match in on re0: my.ip.cox.net.19635 > remote.customersdomain.com.3389: S
3113270439:3113270439(0) win 64240 <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:21:58.031096 rule 143/(match) pass in on re0: my.ip.cox.net.19636 >
remote.customersdomain.com.3389: S 950331510:950331510(0) win 64240 <mss
1260,nop,wscale 0,nop,nop,sackOK> (DF)
Oct 19 14:21:58.031124 rule 7/(match)
match in on re0: my.ip.cox.net.19636 > remote.customersdomain.com.3389: S
950331510:950331510(0) win 64240 <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF)
^C
1514 packets received by filter
0 packets dropped by kernel
tcpdump:
listening on re0, link-type EN10MB
14:28:28.076241 my.ip.cox.net.19828 >
remote.customersdomain.com.pptp: S 113616150:113616150(0) win 64240 <mss
1260,nop,wscale 0,nop,nop,sackOK> (DF)
14:28:28.077198
remote.customersdomain.com.pptp > my.ip.cox.net.19828: S
1720183723:1720183723(0) ack 113616151 win 16384 <mss 1460,nop,wscale
0,nop,nop,sackOK> [tos 0x10]
14:28:28.101811 my.ip.cox.net.19828 >
remote.customersdomain.com.pptp: P 1:157(156) ack 1 win 64240 (DF)
14:28:28.102509 remote.customersdomain.com.pptp > my.ip.cox.net.19828: P
1:157(156) ack 157 win 65379 (DF) [tos 0x10]
14:28:28.149145
my.ip.cox.net.19828 > remote.customersdomain.com.pptp: P 157:325(168) ack 157
win 64084 (DF)
14:28:28.151124 remote.customersdomain.com.pptp >
my.ip.cox.net.19828: P 157:189(32) ack 325 win 65211 (DF) [tos 0x10]
14:28:28.203823 my.ip.cox.net.19828 > remote.customersdomain.com.pptp: P
325:349(24) ack 189 win 64052 (DF)
14:28:28.218046 call 17341 seq 0
gre-ppp-payload (gre encap)
14:28:28.381980 remote.customersdomain.com.pptp >
my.ip.cox.net.19828: . ack 349 win 65187 (DF) [tos 0x10]
14:28:30.218240 call
17341 seq 1 gre-ppp-payload (gre encap)
14:28:33.214069 call 17341 seq 2
gre-ppp-payload (gre encap)
14:28:37.214330 call 17341 seq 3 gre-ppp-payload
(gre encap)
14:28:41.255383 call 17341 seq 4 gre-ppp-payload (gre encap)
14:28:45.215984 call 17341 seq 5 gre-ppp-payload (gre encap)
14:28:49.217986
call 17341 seq 6 gre-ppp-payload (gre encap)
14:28:53.215778 call 17341 seq 7
gre-ppp-payload (gre encap)
14:28:57.216361 call 17341 seq 8 gre-ppp-payload
(gre encap)
tcpdump -i re1 host server.weirdwater.org and port ! ssh
tcpdump: listening on re1, link-type EN10MB
14:30:47.326211
my.ip.cox.net.19868 > server.customers-domain.local.pptp: S
1431722393:1431722393(0) win 64240 <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF)
[tos 0x10]
14:30:47.326657 server.customers-domain.local.pptp >
my.ip.cox.net.19868: S 1837099729:1837099729(0) ack 1431722394 win 16384 <mss
1460,nop,wscale 0,nop,nop,sackOK>
14:30:47.350838 my.ip.cox.net.19868 >
server.customers-domain.local.pptp: P 1:157(156) ack 1 win 64240 (DF) [tos
0x10]
14:30:47.351285 server.customers-domain.local.pptp >
my.ip.cox.net.19868: P 1:157(156) ack 157 win 65379 (DF)
14:30:47.372235
my.ip.cox.net.19868 > server.customers-domain.local.pptp: P 157:325(168) ack
157 win 64084 (DF) [tos 0x10]
14:30:47.374092
server.customers-domain.local.pptp > my.ip.cox.net.19868: P 157:189(32) ack
325 win 65211 (DF)
14:30:47.438026 my.ip.cox.net.19868 >
server.customers-domain.local.pptp: P 325:349(24) ack 189 win 64052 (DF) [tos
0x10]
14:30:47.617689 server.customers-domain.local.pptp >
my.ip.cox.net.19868: . ack 349 win 65187 (DF)
14:31:24.503251
my.ip.cox.net.19868 > server.customers-domain.local.pptp: P 349:365(16) ack
189 win 64052 (DF) [tos 0x10]
14:31:24.503696
server.customers-domain.local.pptp > my.ip.cox.net.19868: P 189:337(148) ack
365 win 65171 (DF)
14:31:24.532445 my.ip.cox.net.19868 >
server.customers-domain.local.pptp: P 365:381(16) ack 337 win 63904 (DF) [tos
0x10]
14:31:24.532890 server.customers-domain.local.pptp >
my.ip.cox.net.19868: P 337:353(16) ack 381 win 65155 (DF)
14:31:24.591852
my.ip.cox.net.19868 > server.customers-domain.local.pptp: F 381:381(0) ack 353
win 63888 (DF) [tos 0x10]
14:31:24.592295 server.customers-domain.local.pptp
> my.ip.cox.net.19868: F 353:353(0) ack 382 win 65155 (DF)
14:31:24.614119
my.ip.cox.net.19868 > server.customers-domain.local.pptp: . ack 354 win 63888
(DF) [tos 0x10]
