sysctl net.inet.gre.allow=1 ? "pass proto gre" in your pf rules?
On Thu, 21 Oct 2010 19:50:14 -0700 Peter Merritt <[email protected]> wrote: > Hate replying to my own post but anyone have any ideas on this. This > for pptp pass thru not for a openbsd pptp server. Has anyone got this > working with 4.7 or 4.8 ? > > > > -----Original message----- > To:[email protected]; > From:Peter Merritt > <[email protected]> > Sent:Tue 19-10-2010 16:00 > Subject:Can't get pptp > vpn working. > I just can not pass gre through a openbsd firewall, this was > working fine with > 4.6 a previous. 4.7 would pass traffic irratically with > this C7 motherboard, > so I upgraded to 4.8 beta, and other that this problem > it has been working > well. what follow is my pf.conf and other information, > would like some insight > to this. Also since 4.7 on logging does not work like > it used to when using > tcpdump, for instance you will see that the box is > passing rdp traffic, but it > never logs it hitting the rule passing and rdr > rdp traffic. I think I am > missing somthing, or the packets are changed by the > time it hits the rule so > the rule is not triggered, any explantions would be > greatly appreciated. > > > Peter > > > # uname -a > OpenBSD > Firewall.southwest-airmotive.com 4.8 GENERIC#126 i386 > > > We have 2 > ip's > cat /etc/hostname.re0 > inet 98.191.121.43 255.255.255.240 NONE > alias > 98.191.121.44 255.255.255.255 > > # cat /etc/hostname.re1 > inet 192.168.0.254 > 255.255.255.0 NONE > group ingress > > # sysctl -a | grep gre > net.inet.gre.allow=0 # I have also tried these setting on > net.inet.gre.wccp=0 > > net.inet.ip.forwarding=1 > net.inet.ip.mforwarding=0 > net.inet6.ip6.forwarding=1 > net.inet6.ip6.mforwarding=0 > > > stripped down > pf.conf, with some experimentation also tried quick with this same > results Ips and hostnames obfuscated. This box sits in front of sbs > server. #Macros ## > > ## Interfaces ## > ext_if = "re0" > int_if = > "re1" > > ## Global Variables ## > ext_ip = "x.x.x.44" > int_net > = $int_if:network > gateway = "192.168.0.254/32" > server = > "192.168.0.1/32" > mailgate = "x.x.x.44" > fake_mx = "x.x.x.43" > d_pc = "192.168.0.31" > ftp_port = > "8021" > server_ports = "{ > https,imaps,4125,4343 }" # pwm removed pptp 10/17 > smtp = "{ 25 }" > ssh_ports = "{ ssh }" > rdp = "{ > 3389 }" > antiscanport = > "{23:79, 6000:8000}" > > icmp_types = "{ > echoreq, unreach }" > netbios > = "{ epmap, netbios-ns, netbios-dgm, > netbios-ssn, microsoft-ds }" > trojan > = "{ > 3127,31791,6667,7000,8111,49400,54320,61439,61440,61441,65301,19,8998 }" > > ## > Tables ## > table <authorized> const file "/etc/tables/authorized" > table > <blacklist> const file "/etc/tables/blacklist" > table <ad_servers> > persist > table <bogons> persist file "/etc/tables/bogon-bn-nonagg.txt" > #table <sinokorea> persist file "/etc/tables/sinokoreacidr.txt" > #table > <adminservers> const file "/etc/tables/adminservers" > table <bots> > persist > table <authpf_users> persist > table <spamd-white> persist > > # > filtering on lo0 > set skip on { lo0 enc0, $int_if } > > > #match out log on > egress from $server to any tag EGRESS nat-to > ($ext_if) static-port > #match out log on egress from $server to > any > tag EGRESS nat-to ($ext_if:0) static-port > #match out log on > egress from > !$server to any tag EGRESS nat-to ($ext_if) > port > 1024:65535 > #match out log on egress from !$server to > any > tag EGRESS nat-to ($ext_if:0) port 1024:65535 > #match out log on > egress > from (self) to any tag EGRESS nat-to ($ext_if) > port > 1024:65535 > #match out log on egress from (self) to > any > tag EGRESS nat-to ($ext_if:0) port 1024:65535 > match out on $ext_if from > 192.168.0.0/24 nat-to ($ext_if) > > ## Packet > normalization ( "scrubbing" ) > #match log on $ext_if all scrub (random-id > min-ttl 254 set-tos lowdelay > reassemble tcp max-mss 1460) > > ### Blocking > spoofed packets: enable "set > state-policy if-bound" above > #antispoof log for > { lo0 $int_if ($ext_if) } > #block drop in log inet6 > #block drop in > log from no-route to > any > #block return in log on $ext_if > from <ad_servers> to any > #block drop > in log on $ext_if from <blacklist> to > any > #block drop in log on $ext_if > from <bogons> to any > #block drop in > log on $ext_if from <sinokorea> to > any > #block drop in log on $ext_if from > <bots> to any > #block drop in log > on $ext_if from any to $ext_if:broadcast > #block in log on $ext_if from > 0.0.0.0/32 > #block in log on $ext_if > from any to 224.0.0.1 > #block > in log on $ext_if from 224/8 > #block drop > in log on $ext_if from any to > 255.255.255.255 > #block drop in log on $ext_if > proto {tcp,udp} from any to > $ext_if port $netbios > > > > # Urpf > #block in > log from urpf-failed label > uRPF > > > #block out log on $ext_if proto > { tcp,udp } to > any port $trojan > #block out log on $int_if > proto { tcp,udp } > to any port $trojan > #block out log on > $ext_if proto { tcp,udp } > from any to any port $netbios > > > # Block rst on > fake mx ip > #block return > in log on $ext_if proto tcp from any > to $fake_mx port > smtp > #block drop in on $ext_if proto { > tcp,udp,icmp } from any to > $fake_mx > > ## Ftp > anchor "ftp-proxy/*" > ## Inbound on ext > > # dns > pass > in log on $ext_if > proto udp from $ext_if to > ($ext_if) keep state > > > # Gre > pass in log on $ext_if > proto gre from > $ext_if to ($ext_if) rdr-to $server > > pass > in > log on $ext_if inet proto udp from $ext_if > to ($ext_if) > port 1194 > > > # Ssh inbound > pass in log on > $ext_if inet > proto tcp from !($ext_if) to ($ext_if) port ssh > rdr-to lo0 > > # > Ntp Inbound > pass in log on $ext_if inet > proto tcp from > !($ext_if) to ($ext_if) port ntp \ > > rdr-to lo0 port ntp > # Inbound https, and imaps to Server > pass in > log on $ext_if > inet proto tcp from !($ext_if) to ($ext_if) > port $server_ports \ > rdr-to $server > # PPTP > pass in log > on $ext_if inet > proto tcp from !($ext_if) to ($ext_if) port > pptp rdr-to > $server \ > > # IPSEC > pass in log on $ext_if > inet proto > tcp from !($ext_if) to ($ext_if) port { 500, 4500 } \ > rdr-to > $server > > > # Inbound Rdp, looked down hard, 4 attempts in 5 mins > pass in log on $ext_if inet proto tcp from > !($ext_if) > to ($ext_if) port 3389 rdr-to $server > > # pass in Mail > pass > in log on $ext_if inet proto tcp from > !($ext_if) to > ($ext_if) port smtp > > # Pass in Magicjack to D's Computer > pass in > log on $ext_if inet proto tcp from > !($ext_if) to ($ext_if) > port smtp rdr-to $d_pc > > pass in log on > $ext_if proto udp > pass in > log on $ext_if proto gre > pass log on $int_if > > > # tcpdump -ettti pflog0 > host my.host.org and port ! ssh > tcpdump: listening > on pflog0, link-type > PFLOG > Oct 19 14:18:29.797288 rule 20/(match) pass in on > re0: > my.ip.cox.net.19499 > remote.customersdomain.com.pptp: S > 2074584932:2074584932(0) win 64240 <mss 1260,nop,wscale > 0,nop,nop,sackOK> (DF) Oct 19 14:19:12.163309 rule 20/(match) pass in > on re0: my.ip.cox.net.19573 > remote.customersdomain.com.pptp: S > 132277570:132277570(0) win 64240 <mss 1260,nop,wscale > 0,nop,nop,sackOK> (DF) Oct 19 14:19:55.191611 rule 20/(match) > pass in on re0: my.ip.cox.net.19599 > > remote.customersdomain.com.pptp: S 2089194955:2089194955(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) Oct 19 14:20:38.381241 > rule 20/(match) pass in on re0: my.ip.cox.net.19610 > > remote.customersdomain.com.pptp: S 904576831:904576831(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) Oct 19 14:21:12.346349 > rule 140/(match) pass in on re0: my.ip.cox.net.19622 > > remote.customersdomain.com.pptp: S 1057217887:1057217887(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) > Oct 19 14:21:12.346377 rule 7/(match) > match in on re0: my.ip.cox.net.19622 > > remote.customersdomain.com.pptp: S 1057217887:1057217887(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) Oct 19 14:21:55.205457 > rule 140/(match) pass in on re0: my.ip.cox.net.19634 > > remote.customersdomain.com.pptp: S 2338961963:2338961963(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) Oct 19 14:21:55.205484 > rule 7/(match) match in on re0: my.ip.cox.net.19634 > > remote.customersdomain.com.pptp: S 2338961963:2338961963(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) Oct 19 14:21:57.901527 > rule 143/(match) pass in on re0: my.ip.cox.net.19635 > > remote.customersdomain.com.3389: S 3113270439:3113270439(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) Oct 19 14:21:57.901554 > rule 7/(match) match in on re0: my.ip.cox.net.19635 > > remote.customersdomain.com.3389: S 3113270439:3113270439(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) Oct 19 14:21:58.031096 > rule 143/(match) pass in on re0: my.ip.cox.net.19636 > > remote.customersdomain.com.3389: S 950331510:950331510(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) Oct 19 14:21:58.031124 > rule 7/(match) match in on re0: my.ip.cox.net.19636 > > remote.customersdomain.com.3389: S 950331510:950331510(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) ^C > 1514 packets received by filter > 0 packets dropped by kernel > > tcpdump: > listening on re0, link-type EN10MB > 14:28:28.076241 my.ip.cox.net.19828 > > remote.customersdomain.com.pptp: S 113616150:113616150(0) win 64240 > <mss 1260,nop,wscale 0,nop,nop,sackOK> (DF) > 14:28:28.077198 > remote.customersdomain.com.pptp > my.ip.cox.net.19828: S > 1720183723:1720183723(0) ack 113616151 win 16384 <mss 1460,nop,wscale > 0,nop,nop,sackOK> [tos 0x10] > 14:28:28.101811 my.ip.cox.net.19828 > > remote.customersdomain.com.pptp: P 1:157(156) ack 1 win 64240 (DF) > 14:28:28.102509 remote.customersdomain.com.pptp > > my.ip.cox.net.19828: P 1:157(156) ack 157 win 65379 (DF) [tos 0x10] > 14:28:28.149145 > my.ip.cox.net.19828 > remote.customersdomain.com.pptp: P 157:325(168) > ack 157 win 64084 (DF) > 14:28:28.151124 remote.customersdomain.com.pptp > > my.ip.cox.net.19828: P 157:189(32) ack 325 win 65211 (DF) [tos 0x10] > 14:28:28.203823 my.ip.cox.net.19828 > > remote.customersdomain.com.pptp: P 325:349(24) ack 189 win 64052 (DF) > 14:28:28.218046 call 17341 seq 0 > gre-ppp-payload (gre encap) > 14:28:28.381980 remote.customersdomain.com.pptp > > my.ip.cox.net.19828: . ack 349 win 65187 (DF) [tos 0x10] > 14:28:30.218240 call > 17341 seq 1 gre-ppp-payload (gre encap) > 14:28:33.214069 call 17341 seq 2 > gre-ppp-payload (gre encap) > 14:28:37.214330 call 17341 seq 3 gre-ppp-payload > (gre encap) > 14:28:41.255383 call 17341 seq 4 gre-ppp-payload (gre encap) > 14:28:45.215984 call 17341 seq 5 gre-ppp-payload (gre encap) > 14:28:49.217986 > call 17341 seq 6 gre-ppp-payload (gre encap) > 14:28:53.215778 call 17341 seq 7 > gre-ppp-payload (gre encap) > 14:28:57.216361 call 17341 seq 8 gre-ppp-payload > (gre encap) > > tcpdump -i re1 host server.weirdwater.org and port ! ssh > tcpdump: listening on re1, link-type EN10MB > 14:30:47.326211 > my.ip.cox.net.19868 > server.customers-domain.local.pptp: S > 1431722393:1431722393(0) win 64240 <mss 1260,nop,wscale > 0,nop,nop,sackOK> (DF) [tos 0x10] > 14:30:47.326657 server.customers-domain.local.pptp > > my.ip.cox.net.19868: S 1837099729:1837099729(0) ack 1431722394 win > 16384 <mss 1460,nop,wscale 0,nop,nop,sackOK> > 14:30:47.350838 my.ip.cox.net.19868 > > server.customers-domain.local.pptp: P 1:157(156) ack 1 win 64240 (DF) > [tos 0x10] > 14:30:47.351285 server.customers-domain.local.pptp > > my.ip.cox.net.19868: P 1:157(156) ack 157 win 65379 (DF) > 14:30:47.372235 > my.ip.cox.net.19868 > server.customers-domain.local.pptp: P > 157:325(168) ack 157 win 64084 (DF) [tos 0x10] > 14:30:47.374092 > server.customers-domain.local.pptp > my.ip.cox.net.19868: P > 157:189(32) ack 325 win 65211 (DF) > 14:30:47.438026 my.ip.cox.net.19868 > > server.customers-domain.local.pptp: P 325:349(24) ack 189 win 64052 > (DF) [tos 0x10] > 14:30:47.617689 server.customers-domain.local.pptp > > my.ip.cox.net.19868: . ack 349 win 65187 (DF) > 14:31:24.503251 > my.ip.cox.net.19868 > server.customers-domain.local.pptp: P > 349:365(16) ack 189 win 64052 (DF) [tos 0x10] > 14:31:24.503696 > server.customers-domain.local.pptp > my.ip.cox.net.19868: P > 189:337(148) ack 365 win 65171 (DF) > 14:31:24.532445 my.ip.cox.net.19868 > > server.customers-domain.local.pptp: P 365:381(16) ack 337 win 63904 > (DF) [tos 0x10] > 14:31:24.532890 server.customers-domain.local.pptp > > my.ip.cox.net.19868: P 337:353(16) ack 381 win 65155 (DF) > 14:31:24.591852 > my.ip.cox.net.19868 > server.customers-domain.local.pptp: F > 381:381(0) ack 353 win 63888 (DF) [tos 0x10] > 14:31:24.592295 server.customers-domain.local.pptp > > my.ip.cox.net.19868: F 353:353(0) ack 382 win 65155 (DF) > 14:31:24.614119 > my.ip.cox.net.19868 > server.customers-domain.local.pptp: . ack 354 > win 63888 (DF) [tos 0x10] > -- With best regards, Gregory Edigarov
