SEO

Long story short, I have an issue with getting my VPN to connect to my w2k3
server box when I include the block all rule in my pf.conf:

block log all

Here's the output:

Apr 04 06:04:09.291697 rule 1/0(match): block in on hme0: call 3033 seq 0
gre-ppp-payload (gre encap)
Apr 04 06:04:11.288849 rule 1/0(match): block in on hme0: call 3033 seq 1
gre-ppp-payload (gre encap)
Apr 04 06:04:14.291628 rule 1/0(match): block in on hme0: call 3033 seq 2
gre-ppp-payload (gre encap)
Apr 04 06:04:17.831228 rule 1/0(match): block in on hme0: call 3033 seq 3
gre-ppp-payload (gre encap)
Apr 04 06:04:21.299914 rule 1/0(match): block in on hme0: call 3033 seq 4
gre-ppp-payload (gre encap)

@1 block drop log all
[ Evaluations: 8 Packets: 5 Bytes: 275 States:
]

When I remove this rule, things seem to work w/o issue. I'm kinda' new to
pf, so I included this rule after following the SOHO example in the FAQ.

Instead of posting the entire pf.conf, let me instead post the sections I
think are relevant to getting PPTP working (if I made an error in this, and
you need the entire file, please let me know. I just thought it would be
more helpful to streamline the post):

-------------------
rdr on hme4 inet proto { udp, tcp } from any to hme4 port 1723 ->
192.168.200.2
rdr on hme4 inet proto gre from any to hme4 -> 192.168.200.2
# VPN (tcp 1723 and gre 47)
pass in quick on hme4 inet proto { udp, tcp } from any to hme1 port pptp
flags S/FSRA keep state
pass in quick on hme4 inet proto gre from any to hme1 keep state
---------------------

my first question would be how important "block log all" is. can I make do
w/o it? It seems pretty important to me because it looks like the default
deny all rule.

next, if it is important, what additional rules can I enter into the pf.conf
file that will allow PPTP to work?

Sameer wrote:

> Long story short, I have an issue with getting my VPN to connect to my
> w2k3 server box when I include the block all rule in my pf.conf:
>
> block log all
>
> Here's the output:
>
> Apr 04 06:04:09.291697 rule 1/0(match): block in on hme0: call 3033
> seq 0 gre-ppp-payload (gre encap)
> Apr 04 06:04:11.288849 rule 1/0(match): block in on hme0: call 3033
> seq 1 gre-ppp-payload (gre encap)
> Apr 04 06:04:14.291628 rule 1/0(match): block in on hme0: call 3033
> seq 2 gre-ppp-payload (gre encap)
> Apr 04 06:04:17.831228 rule 1/0(match): block in on hme0: call 3033
> seq 3 gre-ppp-payload (gre encap)
> Apr 04 06:04:21.299914 rule 1/0(match): block in on hme0: call 3033
> seq 4 gre-ppp-payload (gre encap)
>
> @1 block drop log all
> [ Evaluations: 8 Packets: 5 Bytes: 275
> [ States:
> ]
>
> When I remove this rule, things seem to work w/o issue. I'm kinda'
> new to pf, so I included this rule after following the SOHO example in
> the FAQ.
>
> Instead of posting the entire pf.conf, let me instead post the
> sections I think are relevant to getting PPTP working (if I made an
> error in this, and you need the entire file, please let me know. I
> just thought it would be more helpful to streamline the post):
>
> -------------------
> rdr on hme4 inet proto { udp, tcp } from any to hme4 port 1723 ->
> 192.168.200.2
> rdr on hme4 inet proto gre from any to hme4 -> 192.168.200.2
> # VPN (tcp 1723 and gre 47)
> pass in quick on hme4 inet proto { udp, tcp } from any to hme1 port
> pptp flags S/FSRA keep state
> pass in quick on hme4 inet proto gre from any to hme1 keep state
> ---------------------
>
> my first question would be how important "block log all" is. can I
> make do
> w/o it? It seems pretty important to me because it looks like the
> default deny all rule.

It is the default deny rule in your case.

>
> next, if it is important, what additional rules can I enter into the
> pf.conf file that will allow PPTP to work?

Very easy, look at the log. You block incoming on hme0. Your rule
applies to hme4. Without knowing the network setup it is quite
difficult to say what is should be.

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

>Very easy, look at the log. You block incoming on hme0. Your rule
>applies to hme4. Without knowing the network setup it is quite
>difficult to say what is should be.

this is how it's layed out:


(internet)
||
linksys
||
||
||
||
||
(hme4)
OBSD
(hme1)
||
||
||
||

>Very easy, look at the log. You block incoming on hme0. Your rule
>applies to hme4. Without knowing the network setup it is quite
>difficult to say what is should be.

here's the layout:

*internet*
||
||
||
||
||
linksys
||
||
||
||
||
hme4
OBSD
||
||
||
||

sorry about the other posts... outlook is doing some really werid stuff.

>Very easy, look at the log. You block incoming on hme0. Your rule
>applies to hme4. Without knowing the network setup it is quite
>difficult to say what is should be.

wow... you're right... in looking at the log... i assumed it was blocking on
hme4... i guess i was reading into it what i wanted to read into it.

i have no idea why it's even referencing hme0

here's the layout:

client
||
||
||
*internet*
||
||
||
linksys
||
||
||
/hme4/
OBSD
\hme1\
||
||
||
w2k3


and lemme post my entire config file.... just in case:

---------------------
table <firewall_ints> const { 10.10.100.2, 172.16.100.1, 172,16.200.1,
192.168.100.253, 192.168.200.1 }
table <networks> const { hme0:network, hme1:network, hme2:network,
hme3:network }
table <hosts> const { 192.168.100.242, 192.168.100.243, 192.168.100.249,
192.168.100.251 }
table <vpn_hosts> const { 10.10.100.3, 10.10.100.4, 10.10.100.5,
10.10.100.6 }
table <private_server> const { 192.168.200.2 , 10.10.100.3 }
table <public_server> const { 172.16.200.2 }
table <all_syslog_devices> const { 192.168.200.2, 192.168.200.6,
192.168.100.251, 172.16.200.2, 172.16.200.1, 10.10.100.1 }



###
### general security settings
###

# log interface
set loginterface hme2

# scrubbing
scrub on hme4 all no-df random-id reassemble tcp

# NAT
nat on hme4 inet from <networks> to any -> hme4
rdr on hme4 inet proto tcp from any to hme4 port telnet -> 172.16.100.2
rdr on hme4 inet proto { udp, tcp } from any to hme4 port 1723 ->
192.168.200.2
rdr on hme4 inet proto gre from any to hme4 -> 192.168.200.2

# blocking
block quick from no-route to any
### vpn issues###block log all

# loopback
pass quick on lo0 all
###
###
###



###
### private network - hme0, vlan60, 192.168.100.x
###

# traffic coming from the hosts entering the 192.168.100.x interface
pass in quick on hme0 inet proto { udp, tcp } from <hosts> to any keep state
pass in quick on hme0 inet proto icmp from <hosts> to any keep state

# traffic coming from the server and going to the hosts
pass out quick on hme0 inet proto { udp, tcp } from <private_server> to
<hosts> keep state
pass out quick on hme0 inet proto icmp from <private_server> to <hosts> keep
state
###
###
###



###
### private servers - hme1, vlan50, 192.168.200.x
###

# traffic exits the 192.168.200.x inteface that is destined for the server
pass out quick on hme1 inet proto { udp, tcp } from { <firewall_ints>,
<hosts>, <vpn_hosts> } to 192.168.200.2 keep state
pass out quick on hme1 inet proto icmp from { <firewall_ints>, <hosts>,
<vpn_hosts> } to 192.168.200.2 keep state

# vpn access (tcp 1723 and gre 47)
pass out quick on hme1 inet proto { udp, tcp } from any to <private_server>
port pptp keep state
pass out quick on hme1 inet proto gre from any to <private_server> keep
state

# syslog access
pass in quick on hme1 inet proto udp from <private_server> to 172.16.200.2
port syslog keep state

# traffic leaving the server by entering the 192.168.200.x interface
pass in quick on hme1 inet proto { udp, tcp } from <private_server> to any
keep state
pass in quick on hme1 inet proto icmp from <private_server> to any keep
state
###
###
###



###
### public servers - hme2, vlan40, 172.16.200.x
###

### private server restricted access to the public server
pass out quick on hme2 inet proto { udp, tcp } from 192.168.200.2 to
172.16.200.2 keep state
pass out quick on hme2 inet proto icmp from 192.168.200.2 to 172.16.200.2
keep state

# traffic leaving the server by entering the 172.16.200.x interface
pass in quick on hme2 inet proto { udp, tcp } from 172.16.200.2 to any keep
state
pass in quick on hme2 inet proto icmp from 172.16.200.2 to any keep state



###
###cisco router pod - hme3, vlan30, 172.16.100.x
###

# incoming telnet and ping
pass in quick on hme3 inet proto tcp from any to 172.16.100.2 port telnet
keep state
pass out quick on hme3 inet proto tcp from any to 172.16.100.2 port telnet
keep state
pass in quick on hme3 inet proto icmp from { <hosts>, <vpn_hosts>,
192.168.200.2 } to 172.16.100.2 keep state
pass out quick on hme3 inet proto icmp from { <hosts>, <vpn_hosts>,
192.168.200.2 } to 172.16.100.2 keep state



###
### connection to router - hme4, vlan20, 10.10.100.x
###

# all outbound access
pass out quick on hme4 inet proto { udp, tcp } all keep state
pass out quick on hme4 inet proto icmp all keep state

# telnet traffic
pass in quick on hme4 inet proto tcp from any to 172.16.200.2 port telnet
flags S/FSRA keep state

# VPN (tcp 1723 and gre 47)
pass in quick on hme4 inet proto { udp, tcp } from any to <private_server>
port pptp flags S/FSRA keep state
pass in quick on hme4 inet proto gre from any to <private_server> keep state

# allow icmp traffic through
pass in quick on hme4 inet proto icmp all icmp-type echoreq code 0 keep
state (max 50)

# blocking rules
block out log quick on hme4 from !hme4 to any
###vpn problem###block in log quick on hme4 from any to !hme4
block return in quick on hme4 inet proto tcp from any to any port auth flags
S/FSRA
###
###
###



###
### general help and troubleshooting commands
###

### Clearing and Reloading rules
# pfctl -F rules && pfctl -f /etc/pf.conf

### display rules
# pfctl -f /etc/pf.conf loads the pf.conf file
# pfctl -nf /etc/pf.conf parse the file, but don't load it
# pfctl -Nf /etc/pf.conf Load only the NAT rules from the file
# pfctl -Rf /etc/pf.conf Load only the filter rules from the file
# pfctl -sn Show the current NAT rules
# pfctl -sr Show the current filter rules
# pfctl -ss Show the current state table
# pfctl -si Show filter stats and counters
# pfctl -sa Show EVERYTHING it can show

### troubleshooting
# ifconfig pflog0 up
# tcpdump -n -e -ttt -i pflog0
# pfctl -vvsr
----------------------------------------