Thread: pptp / pf issue
View Single Post

   
  #2 (permalink)  
Old 02-16-2008, 06:28 AM
erik
 
Posts: n/a
Default Re: pptp / pf issue
Sameer wrote:

> Long story short, I have an issue with getting my VPN to connect to my
> w2k3 server box when I include the block all rule in my pf.conf:
>
> block log all
>
> Here's the output:
>
> Apr 04 06:04:09.291697 rule 1/0(match): block in on hme0: call 3033
> seq 0 gre-ppp-payload (gre encap)
> Apr 04 06:04:11.288849 rule 1/0(match): block in on hme0: call 3033
> seq 1 gre-ppp-payload (gre encap)
> Apr 04 06:04:14.291628 rule 1/0(match): block in on hme0: call 3033
> seq 2 gre-ppp-payload (gre encap)
> Apr 04 06:04:17.831228 rule 1/0(match): block in on hme0: call 3033
> seq 3 gre-ppp-payload (gre encap)
> Apr 04 06:04:21.299914 rule 1/0(match): block in on hme0: call 3033
> seq 4 gre-ppp-payload (gre encap)
>
> @1 block drop log all
> [ Evaluations: 8 Packets: 5 Bytes: 275
> [ States:
> ]
>
> When I remove this rule, things seem to work w/o issue. I'm kinda'
> new to pf, so I included this rule after following the SOHO example in
> the FAQ.
>
> Instead of posting the entire pf.conf, let me instead post the
> sections I think are relevant to getting PPTP working (if I made an
> error in this, and you need the entire file, please let me know. I
> just thought it would be more helpful to streamline the post):
>
> -------------------
> rdr on hme4 inet proto { udp, tcp } from any to hme4 port 1723 ->
> 192.168.200.2
> rdr on hme4 inet proto gre from any to hme4 -> 192.168.200.2
> # VPN (tcp 1723 and gre 47)
> pass in quick on hme4 inet proto { udp, tcp } from any to hme1 port
> pptp flags S/FSRA keep state
> pass in quick on hme4 inet proto gre from any to hme1 keep state
> ---------------------
>
> my first question would be how important "block log all" is. can I
> make do
> w/o it? It seems pretty important to me because it looks like the
> default deny all rule.

It is the default deny rule in your case.

>
> next, if it is important, what additional rules can I enter into the
> pf.conf file that will allow PPTP to work?

Very easy, look at the log. You block incoming on hme0. Your rule
applies to hme4. Without knowing the network setup it is quite
difficult to say what is should be.

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.
Reply With Quote