IPFW & M$ VPN
Tomas Podermanski
tpoder at cis.vutbr.cz
Wed Aug 13 17:30:58 CEST 2003
Dobry den,
predpokladam, ze pouzivate PPTP protokol. Krome GRE protokolu je
nutne mit rovnez povoleny pristup k vpn koncentratoru na tcp port 1723
(pptp).
TP
Frankus wrote:
> Zdravim Vas!
> Potrebuji se nyni pripojit do prace pres MS VPNku, nicmene nedari se
> mi navazat spojeni. Odjinud to jde, takze chyba je evidentne na me
> strane.
> MS VPN pouziva specialni protokol GRE, ktery neodpovida standardum TCP
> ani UDP. Otazka zni, jak navazu spojeni na klientovi, ktery je za
> FreeBSD routerem s ipfw, jehoz skript je uveden nize.
> Dekuji vsem za reakce
>
> fwcmd="/sbin/ipfw"
> #fwcmd=echo
>
> build_cmd()
> {
> cmd="$1"
> shift
> for v in "$@"
> do
> cmd="$cmd '$v'"
> done
> }
>
> fwcmd_e ()
> {
> build_cmd $fwcmd "$@"
>
> for e in $all_externals
> do
> eval `echo "$cmd"|sed -e "s/DEV/$e/g"`
> done
> }
>
> fwcmd_i ()
> {
> build_cmd $fwcmd "$@"
>
> for i in $all_internals
> do
> eval `echo "$cmd"|sed -e "s/DEV/$i/g"`
> done
> }
>
> # Interface connected to your internal network
> all_internals="xl0 lo0"
> # Interface connected to the cable modem
> all_externals="de0 tun0"
>
> # nat demons for each external interface
> natd_de0=natd
> natd_tun0=8669
>
> # Force a flushing of the current rules before we reload.
> $fwcmd -f flush
>
> # Let me talk to the BY modem's web status page
> fwcmd_e add allow all from any to 192.168.100.1 via DEV
>
> # Don't let non routable IP packets leak out
> for nonroute in 10.0.0.0/8 172.31.0.0/16 192.168.0.0/16
> do
> fwcmd_e add deny log all from any to $nonroute via DEV
> done
>
> # Divert all packets through the natted interfaces
> for e in $all_externals $all_internals
> do
> eval "port=\$natd_$e"
> [ -z "$port" ] || $fwcmd add divert $port all from any to any via "$e"
> done
>
> # Allow all data from my network card and localhost. fwcmd_i add allow
> all from any to any via DEV
>
> #Line to allow BY Cable modem to respond to traceroute
> fwcmd_e add allow icmp from 10.124.192.1 to any via DEV
> #BY modem web status page
> fwcmd_e add allow all from 192.168.100.1 to any via DEV
>
> # Don't let non routable IPs get in (probably spoofed)
> for nonroute in 10.0.0.0/8 172.31.0.0/16 192.168.0.0/16
> do
> fwcmd_e add deny log all from $nonroute to any via DEV
> done
>
> # Allow all connections that I initiate.
> fwcmd_e add allow tcp from any to any out xmit DEV setup
>
> # Once connections are made, allow them to stay open.
> fwcmd_e add allow tcp from any to any via DEV established
>
> # Everyone on the internet is allowed to connect to the following
> # services on the machine. Remove # from those you want
> $fwcmd add allow tcp from any to any http setup
> #$fwcmd add allow tcp from any to any ftp setup
> $fwcmd add allow tcp from any to any ssh setup
> #$fwcmd add allow tcp from any to any smtp setup
>
> # This sends a RESET to all ident packets.
> fwcmd_e add reset log tcp from any to any ident in recv DEV
>
> # Allow outgoing DNS queries
> fwcmd_e add allow udp from any to any domain out xmit DEV keep-state
>
> # Allow them back in with the answers... :)
> fwcmd_e add allow udp from any domain to any in recv DEV
>
> # time synchronisation
> fwcmd_e add allow udp from any to any ntp out xmit DEV keep-state
>
> # dhcp
> $fwcmd add pass udp from any to any bootpc keep-state
>
> fwcmd_e add allow udp from any to any bootps out xmit DEV
> fwcmd_e add allow udp from any bootps to any in recv DEV
>
> # traceroute
> $fwcmd add allow log udp from any to any 33434-33499 out
>
> # Igmp from CM, No one seems to know if this is necessary, so I
> # let it in.
> fwcmd_e add allow igmp from 192.168.100.1 to any in via DEV
>
> # Allow ICMP (for ping and traceroute to work). You may wish to
> # disallow this, but I feel it suits my needs to keep them in.
> $fwcmd add allow icmp from any to any
>
> # Deny and log setups from outside, just deny the rest of the attempt
> fwcmd_e add deny log tcp from any to any in via DEV setup
> $fwcmd add deny tcp from any to any
>
> # Deny and log non tcp from outside
> fwcmd_e add deny log ip from any to any in via DEV
>
> # Deny all the rest.
> $fwcmd add 65435 deny log ip from any to any
>
More information about the Users-l
mailing list