Down the MPD road

Michael Collette metrol at metrol.net
Mon May 12 13:04:45 PDT 2003 

On Saturday 10 May 2003 01:48 pm, Olivier Cherrier wrote:
> > >     Here is where we descend into Windows-bashing.  For some STUPID
> > > reason, when a Windows box connects to a VPN via PPTP, the Windows
> > > box's default route is adjusted to go through the VPN connection.
> > > This is fortunately fixable (Windows has a ROUTE command), but it
> > > requires your users to have half a clue:
> > >
> > >     route delete 0.0.0.0
> > >     route add 0.0.0.0 mask 0.0.0.0 gateway <ISP gateway> metric 1
> > >     route add [InsideNetwork] mask [InsideMask] gateway
> >
> > [far end of VPN
> >
> > > tunnel] metric 1
> >
> > I cannot test this right now, so it is quite probable that you are
> > right, but couldn't this be controlled by the Properties >> Networking
> >
> >  >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >>
> >  >> Use default gateway on remote network?
>
> Yes, this checkbox allows to NOT route all the traffic to the
> VPN server. No need of 'route delete, route add ...' scripts.

I did this, and it does correct the immediate problem.  Of course, it also 
creates a new glitchy.

My mail server sits in the DMZ, which is of course on a different subnet than 
the secure network.  I'm bringing in those outside users directly into the 
secure network, as they very definitely need resources from there.

Without being able to configure routing from the secure network, those users 
can't route to the DMZ.  In that DMZ I have pop3 and ldap restricted to 
internal use only, while SMTP is opened up wide.  The problem compounds a bit 
when dealing with SMTP securities which is presently configured to restrict 
relaying to only those IPs that we own.

So, the firewall prevents pop3 and ldap, while the mail server itself 
restricts the relaying.  Unless the user is able to route to this server via 
the internal network this dog just don't hunt.

Is there perhaps some part of this I'm missing?

Thanks,
-- 
"Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark 
to read."
 - Groucho Marx

More information about the freebsd-security mailing list