-----Original Message-----
From: Chris Willis
Sent: Sunday, March 12, 2006 10:23 AM
To: 'Melameth, Daniel D.'
Subject: RE: Solution Request: I need to initiate outbound PPTP requests
thru FreeBSD firewall
This is what fwbuilder is creating.
set limit { frags 5000, states 10000 }
set timeout adaptive.start 8000
set timeout adaptive.end 10000
set optimization Normal
#
# Scrub rules
#
scrub in all fragment reassemble
scrub out all random-id
#
# Rule 0 (NAT)
# force mail server to NAT using same IP as incoming mail # nat on fxp0
proto {tcp udp icmp} from 192.168.254.253 to any -> 64.62.37.227 # #
Rule 1 (NAT) # force outbound vpn traffic to source port 500 # nat on
fxp0 proto {tcp,udp} from 192.168.0.0/16 to any port 500 -> 64.62.37.226
port 500 # # Rule 2 (NAT) # NAT all 1928 LAN clients to an IP address
on the external NIC # nat on fxp0 proto {tcp udp icmp} from
192.168.0.0/16 to any -> 64.62.37.226 # # Rule 3 (NAT) # Port Forward
services to DC1 # rdr on fxp0 proto tcp from any to 64.62.37.226 port
3389 -> 192.168.254.254 port 3389 rdr on fxp0 proto tcp from any to
64.62.37.226 port 1723 -> 192.168.254.254 port 1723 rdr on fxp0 proto
udp from any to 64.62.37.226 port 500 -> 192.168.254.254 port 500 rdr on
fxp0 proto 47 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0
proto 51 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0 proto
50 from any to 64.62.37.226 -> 192.168.254.254 rdr on fxp0 proto tcp
from any to 64.62.37.226 port 22 -> 192.168.254.254 port 22 # # Rule 4
(NAT) # Port Forward Services to MAIL1 # rdr on fxp0 proto tcp from any
to 64.62.37.227 port 110 -> 192.168.254.253 port 110 rdr on fxp0 proto
tcp from any to 64.62.37.227 port 443 -> 192.168.254.253 port 443 rdr on
fxp0 proto tcp from any to 64.62.37.227 port 3389 -> 192.168.254.253
port 3389 rdr on fxp0 proto tcp from any to 64.62.37.227 port 80 ->
192.168.254.253 port 80 # # Rule 5 (NAT) # port forward to the store
camera # rdr on fxp0 proto tcp from any to 64.62.37.228 port 80 ->
192.168.202.96 port 80 # # Rule 6 (NAT) # # rdr on fxp0 proto tcp from
any to 64.62.37.226 port 23 -> 192.168.200.11 port 23 # # Rule 7 (NAT)
# # rdr on fxp0 proto tcp from any to 64.62.37.229 port 11001 ->
192.168.200.38 port 11001 rdr on fxp0 proto udp from any to 64.62.37.229
port 11001 -> 192.168.200.38 port 11001 # # Rule 8 (NAT) # # rdr on
fxp0 proto tcp from any to 64.62.37.229 port 11002 -> 192.168.202.19
port 21 # # Rule 9 (NAT) # # rdr on fxp0 proto tcp from any to
64.62.37.230 port 3389 -> 192.168.254.255 port 3389
# Tables: (3)
table <id4411F6F4.1> { 224.0.0.0/4 , 169.254.0.0/16 , 127.0.0.0/8 ,
10.0.0.0/8 , 192.168.0.0/12 , 192.0.2.0/24 , 0.0.0.0/8 } table
<id4411F73B.2> { 64.62.37.226 , 64.62.37.227 , 64.62.37.228 ,
64.62.37.229 , 64.62.37.230 , 192.168.200.89 , 192.168.200.40 } table
<id4411FCBC.1> { 192.168.0.0/16 , 66.134.48.170 }
#
# Rule 0 (fxp0)
# anti-spoof rule for external interfaces #
block in log quick on fxp0 inet from <id4411F6F4.1> to any label
"RULE 0 -- DROP "
#
# Rule 0 (lo0)
# allow loopback to all - required to log onto box #
pass in log quick on lo0 inet from any to any keep state label
"RULE 0 -- ACCEPT "
pass out log quick on lo0 inet from any to any keep state label
"RULE 0 -- ACCEPT "
#
# Rule 0 (global)
# deny bad combinations of TCP flags
#
block in log quick inet proto tcp from any to any flags U/UA label
"RULE 0 -- DROP "
block in log quick inet proto tcp from any to any flags RF/RF
label "RULE 0 -- DROP "
block in log quick inet proto tcp from any to any flags RS/RS
label "RULE 0 -- DROP "
block in log quick inet proto tcp from any to any flags SF/SF
label "RULE 0 -- DROP "
block in log quick inet proto tcp from any to any flags
UAPRSF/UAPRSF label "RULE 0 -- DROP "
block in log quick inet proto tcp from any to any flags /UAPRSF
label "RULE 0 -- DROP "
block in log quick inet proto tcp from any to any flags UPF/UAPRSF
label "RULE 0 -- DROP "
block in log quick inet proto tcp from any to any flags UPSF/UAPRSF
label "RULE 0 -- DROP "
block in log quick inet proto tcp from any to any flags
UARSF/UAPRSF label "RULE 0 -- DROP "
block out log quick inet proto tcp from any to any flags U/UA label
"RULE 0 -- DROP "
block out log quick inet proto tcp from any to any flags RF/RF
label "RULE 0 -- DROP "
block out log quick inet proto tcp from any to any flags RS/RS
label "RULE 0 -- DROP "
block out log quick inet proto tcp from any to any flags SF/SF
label "RULE 0 -- DROP "
block out log quick inet proto tcp from any to any flags
UAPRSF/UAPRSF label "RULE 0 -- DROP "
block out log quick inet proto tcp from any to any flags /UAPRSF
label "RULE 0 -- DROP "
block out log quick inet proto tcp from any to any flags UPF/UAPRSF
label "RULE 0 -- DROP "
block out log quick inet proto tcp from any to any flags UPSF/UAPRSF
label "RULE 0 -- DROP "
block out log quick inet proto tcp from any to any flags
UARSF/UAPRSF label "RULE 0 -- DROP "
#
# Rule 1 (global)
# email goes to postfix on firewall first #
pass in quick inet proto tcp from any port >= 1024 to <id4411F73B.2>
port 25 flags S/S modulate state label "RULE 1 -- ACCEPT "
#
# Rule 2 (global)
# doug added ssh to dc1
#
pass in quick inet proto tcp from 64.241.74.206 to 192.168.254.254
port 22 modulate state label "RULE 2 -- ACCEPT "
pass out quick inet proto tcp from 64.241.74.206 to 192.168.254.254
port 22 modulate state label "RULE 2 -- ACCEPT "
#
# Rule 3 (global)
# allow remote admin & VPN traffic to DC1 #
pass in quick inet proto tcp from any port >= 1024 to
192.168.254.254 port 3389 flags S/S modulate state label "RULE 3 --
ACCEPT "
pass in quick inet proto tcp from any port >= 1024 to
192.168.254.254 port 1723 modulate state label "RULE 3 -- ACCEPT "
pass in quick inet proto udp from any to 192.168.254.254 port 500
keep state label "RULE 3 -- ACCEPT "
pass in quick inet proto 47 from any to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "
pass in quick inet proto 50 from any to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "
pass in quick inet proto 51 from any to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "
pass out quick inet proto tcp from any port >= 1024 to
192.168.254.254 port 3389 flags S/S modulate state label "RULE 3 --
ACCEPT "
pass out quick inet proto tcp from any port >= 1024 to
192.168.254.254 port 1723 modulate state label "RULE 3 -- ACCEPT "
pass out quick inet proto udp from any to 192.168.254.254 port 500
keep state label "RULE 3 -- ACCEPT "
pass out quick inet proto 47 from any to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "
pass out quick inet proto 50 from any to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "
pass out quick inet proto 51 from any to 192.168.254.254 keep state
label "RULE 3 -- ACCEPT "
#
# Rule 4 (global)
# allow mail, OWA and POP3 to MAIL1
#
pass in quick inet proto tcp from any port >= 1024 to
192.168.254.253 port 3389 flags S/S modulate state label "RULE 4 --
ACCEPT "
pass in quick inet proto tcp from any to 192.168.254.253 port { 443,
110, 80, 25 } modulate state label "RULE 4 -- ACCEPT "
pass out quick inet proto tcp from any port >= 1024 to
192.168.254.253 port 3389 flags S/S modulate state label "RULE 4 --
ACCEPT "
pass out quick inet proto tcp from any to 192.168.254.253 port { 443,
110, 80, 25 } modulate state label "RULE 4 -- ACCEPT "
#
# Rule 5 (global)
# terminal server services
#
pass in log quick inet proto tcp from any port >= 1024 to
192.168.254.255 port 3389 flags S/S modulate state label "RULE 5 --
ACCEPT "
pass out log quick inet proto tcp from any port >= 1024 to
192.168.254.255 port 3389 flags S/S modulate state label "RULE 5 --
ACCEPT "
#
# Rule 6 (global)
# access store camera from internet
#
pass in quick inet proto tcp from any to 192.168.202.96 port 80
modulate state label "RULE 6 -- ACCEPT "
pass out quick inet proto tcp from any to 192.168.202.96 port 80
modulate state label "RULE 6 -- ACCEPT "
#
# Rule 7 (global)
# allow firewall to access anywhere
#
pass out quick inet from <id4411F73B.2> to any keep state label
"RULE 7 -- ACCEPT "
#
# Rule 8 (global)
# allow internal network to access certain firewall services #
pass in quick inet proto icmp from <id4411FCBC.1> to <id4411F73B.2>
keep state label "RULE 8 -- ACCEPT "
pass in quick inet proto tcp from <id4411FCBC.1> port >= 1024 to
<id4411F73B.2> port 10000 flags S/S modulate state label "RULE 8 --
ACCEPT "
pass in quick inet proto tcp from <id4411FCBC.1> to <id4411F73B.2>
port 3000 flags S/S modulate state label "RULE 8 -- ACCEPT "
pass in quick inet proto tcp from <id4411FCBC.1> to <id4411F73B.2>
port { 22, 888 } modulate state label "RULE 8 -- ACCEPT "
#
# Rule 9 (global)
# allow telnet to the D3 computer
#
pass in quick inet proto tcp from any to 192.168.200.11 port 23
modulate state label "RULE 9 -- ACCEPT "
pass out quick inet proto tcp from any to 192.168.200.11 port 23
modulate state label "RULE 9 -- ACCEPT "
#
# Rule 10 (global)
#
#
pass in log quick inet proto tcp from any to 192.168.200.38 port
11001 modulate state label "RULE 10 -- ACCEPT "
pass in log quick inet proto udp from any to 192.168.200.38 port
11001 keep state label "RULE 10 -- ACCEPT "
pass out log quick inet proto tcp from any to 192.168.200.38 port
11001 modulate state label "RULE 10 -- ACCEPT "
pass out log quick inet proto udp from any to 192.168.200.38 port
11001 keep state label "RULE 10 -- ACCEPT "
#
# Rule 11 (global)
#
#
pass in log quick inet proto tcp from any to 192.168.202.19 port {
11002, 21 } modulate state label "RULE 11 -- ACCEPT "
pass out log quick inet proto tcp from any to 192.168.202.19 port {
11002, 21 } modulate state label "RULE 11 -- ACCEPT "
#
# Rule 12 (global)
# deny all other access to firewall
#
block in log quick inet from any to <id4411F73B.2> label "RULE 12
-- DROP "
#
# Rule 13 (global)
# allow burbank internal network outbound to internet #
pass in quick inet from 192.168.0.0/16 to any keep state label
"RULE 13 -- ACCEPT "
pass out quick inet from 192.168.0.0/16 to any keep state label
"RULE 13 -- ACCEPT "
#
# Rule 14 (global)
# drop all other traffic
#
block in log quick inet from any to any label "RULE 14 -- DROP "
block out log quick inet from any to any label "RULE 14 -- DROP "
#
# Rule fallback rule
# fallback rule
#
block in quick inet from any to any label "RULE 10000 -- DROP "
block out quick inet from any to any label "RULE 10000 -- DROP "
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Melameth, Daniel D.
Sent: Saturday, March 11, 2006 8:47 AM
To: [email protected]
Subject: RE: Solution Request: I need to initiate outbound PPTP requests
thru FreeBSD firewall
Post your rule set.
Chris Willis wrote:
> Ok, this is not a PPTP connection from the internet TO a box on the
> internal LAN.
>
> This is a problems with making a PPTP connection from the internal LAN
> to any PPTP server out on the internet.
>
> Thus, TCP 1723 and GRE are not the issue. I am passing ALL from the
> internal LAN to the internet.
>
> I used FWBuilder to create the policy for the FreeBSD box. When I
> install Linux 2.6 in place of the freebsd box, and use the exact same
> FWBuilder ruleset, then outbound PPTP works great.
>
> Any other thoughts?
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
> Of Melameth, Daniel D.
> Sent: Saturday, March 11, 2006 12:27 AM
> To: [email protected]
> Subject: RE: Solution Request: I need to initiate outbound PPTP
> requests thru FreeBSD firewall
>
> Chris Willis wrote:
> > I have setup a FreeBSD box running PF for a client. It is the
> > 'firewall' for their internal LAN.
> >
> > I cannot make an outbound VPN connection from their LAN to any other
> > microsoft PPTP VPN server.
> >
> > The VPN connections work fine from any machine that plugs in to the
> > hub in FRONT of the firewall (static public IP), but that obviously
> > isn't the solution.
> >
> > What changes need to be made to the ruleset to allow outbound PPTP
> > connections? Here is the existing NAT rule I though might work
> > based on browsing the Archives:
> >
> > nat on fxp0 proto udp from 172.16.0.0/16 port = 500 to any ->
> > 206.135.37.226 port 500
> >
> > But it didn't help at all. I put that rule both in front of, and
> > behind, the regular NAT rule for outbound network traffic.
>
> I hate to say it Chris, but have you bothered to even find out what
> ports/protocols PPTP actually uses? Perhaps TCP 1723 and GRE?
