pf rules for pptpd
Mario Lobo
lobo at bsd.com.br
Tue Aug 2 22:34:48 UTC 2011
On Tuesday 02 August 2011 19:17:34 you wrote:
> > I finally gave up and switched to mpd5. I solved my problem and it has
> > been rock solid ever since.
>
> I'm not wedded to pptpd. But I found mpd5 to be even more convoluted to
> configure. Can you share your configuration files?
Sure thing, man !
Here it is. Server side. With this config, ANY unix or
Win(XP,7,Vista,whatever) closes a vpn with the FreeBSD FW. And it
authenticates the user in AD (2008 R2) via AD's radius server.
### mpd.conf
startup:
# Setup console user, password and level
set user admin password yyyyyy
set console self 127.0.0.1 5005
set console open
# set web self 0.0.0.0 5006
# set web open
default:
load pptp_server
pptp_server:
set ippool add pool1 172.16.3.201 172.16.3.239
create bundle template B
set iface up-script /usr/local/etc/mpd5/linkup
set iface down-script /usr/local/etc/mpd5/linkdown
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
set ipcp ranges 172.16.3.200/32 ippool pool1
set ipcp dns 172.16.3.133
set ipcp nbns 172.16.3.133
set bundle enable compression
# set bundle enable encryption
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
## Setup The Link Layer ##
create link template L pptp
set link action bundle B
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 10 60
# set link mtu 1300
set link mtu 1460
set pptp self a.b.c.d
# set pptp disable windowing
set link enable incoming
load radius
radius:
set radius server 172.16.3.133 password 1812 1813
set radius retries 3
set radius timeout 10
set auth acct-update 120
set auth enable radius-auth
set auth enable radius-acct
set radius enable message-authentic
set radius me 172.16.3.1
set radius identifier xxxxxxx
With those scripts bellow, I get indiviual user log files, Saying when they
logged in/out, which LAN IP and ng interface they used and from what public IP
they connected from.
if I do an "ls /var/log/vpns/*.IN", I can see which users are connected to the
vpn.
### linkup
#!/usr/local/bin/bash
/usr/bin/touch /var/log/vpns/rules
if ! /usr/bin/grep $1 /var/log/vpns/rules 1>/dev/null 2>&1 ; then
echo "pass quick on $1 all" >> /var/log/vpns/rules
fi
/sbin/pfctl -a vpns -f /var/log/vpns/rules
USU="${5:0:11}"
case ${USU} in
[Aa][Ll][Ll][Ee][Nn][Rr][Ee][Cc][Ii][Ff][Ee])
USU="${5:12:20}"
;;
*)
USU=$5
;;
esac
USUIN=${USU}"-"${4}
DIA=`/bin/date "+%Y-%m-%d% %H:%M:%S"`
IP=$8
if [ -f /var/log/vpns/"${USU}".log ] ; then
/bin/echo "${DIA} -> ${USU} Logged IN with [ ${1}:${4} ] from [ ${IP} ]."
>> /var/log/vpns/"${USU}".log
else
/bin/echo "${DIA} -> ${USU} Logged IN with [ ${1}:${4} ] from [ ${IP} ]." >
/var/log/vpns/"${USU}".log
fi
/usr/bin/touch /var/log/vpns/"${USUIN}".IN
/usr/sbin/arp -s "${4}" auto pub only
### linkdown
#!/usr/local/bin/bash
USU="${5:0:11}"
case ${USU} in
[Aa][Ll][Ll][Ee][Nn][Rr][Ee][Cc][Ii][Ff][Ee])
USU="${5:12:20}"
;;
*)
USU=$5
;;
esac
DIA=`/bin/date "+%Y-%m-%d% %H:%M:%S"`
USUIN=${USU}"-"${4}
count=`ls -1 /var/log/vpns/${USU}*.IN | wc -l`
if [ $count -eq 1 ]; then
if [ -f /var/log/vpns/"${USU}".log ] ; then
/bin/echo "${DIA} -> ${USU} logged OUT." >> /var/log/vpns/"${USU}".log
else
/bin/echo "${DIA} -> ${USU} logged OUT." > /var/log/vpns/"${USU}".log
fi
fi
/bin/rm /var/log/vpns/"${USUIN}".IN
## END
I hope this helps !
--
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)
More information about the freebsd-pf
mailing list