Thread: pptp / pf issue
View Single Post

   
  #5 (permalink)  
Old 02-16-2008, 05:29 AM
Sameer
 
Posts: n/a
Default Re: pptp / pf issue
sorry about the other posts... outlook is doing some really werid stuff.

>Very easy, look at the log. You block incoming on hme0. Your rule
>applies to hme4. Without knowing the network setup it is quite
>difficult to say what is should be.

wow... you're right... in looking at the log... i assumed it was blocking on
hme4... i guess i was reading into it what i wanted to read into it.

i have no idea why it's even referencing hme0

here's the layout:

client
||
||
||
*internet*
||
||
||
linksys
||
||
||
/hme4/
OBSD
\hme1\
||
||
||
w2k3


and lemme post my entire config file.... just in case:

---------------------
table <firewall_ints> const { 10.10.100.2, 172.16.100.1, 172,16.200.1,
192.168.100.253, 192.168.200.1 }
table <networks> const { hme0:network, hme1:network, hme2:network,
hme3:network }
table <hosts> const { 192.168.100.242, 192.168.100.243, 192.168.100.249,
192.168.100.251 }
table <vpn_hosts> const { 10.10.100.3, 10.10.100.4, 10.10.100.5,
10.10.100.6 }
table <private_server> const { 192.168.200.2 , 10.10.100.3 }
table <public_server> const { 172.16.200.2 }
table <all_syslog_devices> const { 192.168.200.2, 192.168.200.6,
192.168.100.251, 172.16.200.2, 172.16.200.1, 10.10.100.1 }



###
### general security settings
###

# log interface
set loginterface hme2

# scrubbing
scrub on hme4 all no-df random-id reassemble tcp

# NAT
nat on hme4 inet from <networks> to any -> hme4
rdr on hme4 inet proto tcp from any to hme4 port telnet -> 172.16.100.2
rdr on hme4 inet proto { udp, tcp } from any to hme4 port 1723 ->
192.168.200.2
rdr on hme4 inet proto gre from any to hme4 -> 192.168.200.2

# blocking
block quick from no-route to any
### vpn issues###block log all

# loopback
pass quick on lo0 all
###
###
###



###
### private network - hme0, vlan60, 192.168.100.x
###

# traffic coming from the hosts entering the 192.168.100.x interface
pass in quick on hme0 inet proto { udp, tcp } from <hosts> to any keep state
pass in quick on hme0 inet proto icmp from <hosts> to any keep state

# traffic coming from the server and going to the hosts
pass out quick on hme0 inet proto { udp, tcp } from <private_server> to
<hosts> keep state
pass out quick on hme0 inet proto icmp from <private_server> to <hosts> keep
state
###
###
###



###
### private servers - hme1, vlan50, 192.168.200.x
###

# traffic exits the 192.168.200.x inteface that is destined for the server
pass out quick on hme1 inet proto { udp, tcp } from { <firewall_ints>,
<hosts>, <vpn_hosts> } to 192.168.200.2 keep state
pass out quick on hme1 inet proto icmp from { <firewall_ints>, <hosts>,
<vpn_hosts> } to 192.168.200.2 keep state

# vpn access (tcp 1723 and gre 47)
pass out quick on hme1 inet proto { udp, tcp } from any to <private_server>
port pptp keep state
pass out quick on hme1 inet proto gre from any to <private_server> keep
state

# syslog access
pass in quick on hme1 inet proto udp from <private_server> to 172.16.200.2
port syslog keep state

# traffic leaving the server by entering the 192.168.200.x interface
pass in quick on hme1 inet proto { udp, tcp } from <private_server> to any
keep state
pass in quick on hme1 inet proto icmp from <private_server> to any keep
state
###
###
###



###
### public servers - hme2, vlan40, 172.16.200.x
###

### private server restricted access to the public server
pass out quick on hme2 inet proto { udp, tcp } from 192.168.200.2 to
172.16.200.2 keep state
pass out quick on hme2 inet proto icmp from 192.168.200.2 to 172.16.200.2
keep state

# traffic leaving the server by entering the 172.16.200.x interface
pass in quick on hme2 inet proto { udp, tcp } from 172.16.200.2 to any keep
state
pass in quick on hme2 inet proto icmp from 172.16.200.2 to any keep state



###
###cisco router pod - hme3, vlan30, 172.16.100.x
###

# incoming telnet and ping
pass in quick on hme3 inet proto tcp from any to 172.16.100.2 port telnet
keep state
pass out quick on hme3 inet proto tcp from any to 172.16.100.2 port telnet
keep state
pass in quick on hme3 inet proto icmp from { <hosts>, <vpn_hosts>,
192.168.200.2 } to 172.16.100.2 keep state
pass out quick on hme3 inet proto icmp from { <hosts>, <vpn_hosts>,
192.168.200.2 } to 172.16.100.2 keep state



###
### connection to router - hme4, vlan20, 10.10.100.x
###

# all outbound access
pass out quick on hme4 inet proto { udp, tcp } all keep state
pass out quick on hme4 inet proto icmp all keep state

# telnet traffic
pass in quick on hme4 inet proto tcp from any to 172.16.200.2 port telnet
flags S/FSRA keep state

# VPN (tcp 1723 and gre 47)
pass in quick on hme4 inet proto { udp, tcp } from any to <private_server>
port pptp flags S/FSRA keep state
pass in quick on hme4 inet proto gre from any to <private_server> keep state

# allow icmp traffic through
pass in quick on hme4 inet proto icmp all icmp-type echoreq code 0 keep
state (max 50)

# blocking rules
block out log quick on hme4 from !hme4 to any
###vpn problem###block in log quick on hme4 from any to !hme4
block return in quick on hme4 inet proto tcp from any to any port auth flags
S/FSRA
###
###
###



###
### general help and troubleshooting commands
###

### Clearing and Reloading rules
# pfctl -F rules && pfctl -f /etc/pf.conf

### display rules
# pfctl -f /etc/pf.conf loads the pf.conf file
# pfctl -nf /etc/pf.conf parse the file, but don't load it
# pfctl -Nf /etc/pf.conf Load only the NAT rules from the file
# pfctl -Rf /etc/pf.conf Load only the filter rules from the file
# pfctl -sn Show the current NAT rules
# pfctl -sr Show the current filter rules
# pfctl -ss Show the current state table
# pfctl -si Show filter stats and counters
# pfctl -sa Show EVERYTHING it can show

### troubleshooting
# ifconfig pflog0 up
# tcpdump -n -e -ttt -i pflog0
# pfctl -vvsr
----------------------------------------



Reply With Quote