allow vpn clients to connect to internal vpn server

Ruslan Ermilov ru at freebsd.org
Tue Apr 15 14:59:03 PDT 2003 

On Tue, Apr 15, 2003 at 03:53:30PM +0300, Belov V. wrote:
> Hi
> My privat net is 192.168.0.0/24 and has Win VPN server in it.
> Natd has redirection: redirect_port tcp 192.168.0.1:1723 1723
> What should be added to allow external vpn clients to connect to my internal
> vpn server?
> 
> My current BSD router has the following ipfw rules:
> 
> add allow ip from any to any via lo0
> add deny all from any to 127.0.0.0/8
> add deny all from 127.0.0.0/8 to any
> add deny all from 192.168.0.0/24 to any in recv de0
> add deny all from any to 10.0.0.0/8 via de0
> add deny all from any to 172.16.0.0/12 via de0
> add deny all from any to 192.168.0.0/16 via de0
> add deny all from any to 0.0.0.0/8 via de0
> add deny all from any to 169.254.0.0/16 via de0
> add deny all from any to 192.0.2.0/24 via de0
> add deny all from any to 224.0.0.0/4 via de0
> add deny all from any to 240.0.0.0/4 via de0
> add deny tcp from any to any 137-139 via de0
> add deny tcp from any to any 137-139 via de0
> add fwd 192.168.0.10,3128 tcp from 192.168.0.0/24 to any 80
> add divert 8668 all from any to any via de0
> add pass tcp from any to any established
> add pass ip from any to any frag
> add pass tcp from any to ip_of_external_interface 25 setup
> add pass tcp from any to any 1723 setup
> add pass tcp from any to any 4899 setup
> add pass tcp from any to ip_of_external_interface 53 setup
> add pass udp from any to ip_of_external_interface 53
> add pass udp from ip_of_external_interface 53 to any
> add deny log tcp from any to any in via de0 setup
> add pass tcp from any to any setup
> add pass udp from any to any 53 keep-state
> 
With the default ``allow ip from any to any'' it was enough
to redirect only TCP port 1723 to an internal machine:

: src/lib/libalias/alias_pptp.c revision 1.4
: date: 2000/10/30 12:39:41;  author: ru;  state: Exp;  lines: +129 -53
: A significant rewrite of PPTP aliasing code.
: 
: PPTP links are no longer dropped by simple (and inappropriate in this
: case) "inactivity timeout" procedure, only when requested through the
: control connection.
: 
: It is now possible to have multiple PPTP servers running behind NAT.
: Just redirect the incoming TCP traffic to port 1723, everything else
: is done transparently.
: 
: Problems were reported and the fix was tested by:
:                 Michael Adler <Michael.Adler at compaq.com>,
:                 David Andersen <dga at lcs.mit.edu>

If your default rule is ``deny ip from any to any'', you should also
allow for the protocol ``gre'' traffic.


Cheers,
-- 
Ruslan Ermilov		Sysadmin and DBA,
ru at sunbay.com		Sunbay Software AG,
ru at FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20030416/678a9afa/attachment.bin

More information about the freebsd-ipfw mailing list