[IOML] Dylan you might like this one!
Simon Slaytor
sslaytor at iom.com
Fri Aug 19 13:40:07 BST 2005
Hi folks,
Not that I'm against levitating chemicals but I thought it might be time
to have another go at actually putting something less physically
strenuous into the minds of the local *nix geeks.
This is a recent post I made to the OpenBSD mailing list, anyone local
have any thoughts on the matter? and before any asks I was actually
trying to diagnose a problem a fellow FWBuilder was having trying to do
the same but with a RH9 firewall and someone elses PPTP server.
Now I know GRE is a git of a service for stateful firewalls to track,
small packet headers etc making the insertion of tracking data somewhat
impossible but!! read on.
Ok, first off sorry if this is old ground or posted to the wrong list.
I've come across something a bit odd and I'd like someone who actually
knows what he's doing, not me to shed some light on what's going on.
I'm trying to connect a Windows XP Sp2 (yes I know) box to a Win2k
Server using PPTP across two firewalls. i.e.
Logical layout
[Win XP] ---- IP/1723 GRE(47) ----> [Firewall 1] ----- Internet ----
[Firewall 2]------> [Win2k PPTP endpoint]
Subnets:
|---IP 10.190/16 ----| [FW] |--- IP 11.11/16 ---| [FW] |--- IP
12.12/16---|
IP
XP-10.190.70.70
FW1 - 10.190.70.66 & 11.11.0.1
FW2 - 11.11.0.2 & 12.12.0.1
Win2k - 12.12.0.2
Win2k Static NAT'd as 11.11.0.10 on FW2 for GRE and IP/1723
Now for my first test Firewall 1 was a Linux 2.6.10 (ubuntu 5.04) box,
and Firewall 2 was 3.7-current from last month.
Rules on the Linux box are (generealised)
Local LAN -> ANY using IP 1723 / GRE - accept
NAT Local LAN using any ---> WAN Interface
Rules on the OpenBSD box
Any -> Win2k Server using IP 1723 / GRE - accept
NAT Any -> Win2k NAT Address [11.11.0.10] using GRE ------ as ------ Any
-> Win2k Internal Address [12.12.0.2] using GRE
NAT Any -> Win2k NAT address [11.11.0.10] using PPTP ------ as ------
Any -> Win2k Internal Address [12.12.0.2] using PPTP
NAT Win2k -> Any using Ant ---- as ----- Win2k NAT'd address
[11.11.0.10] -> any using any
ok hope that make sense.
In this configuration everything works!
PFLOG on the OBSD box shows PPTP and GRE passing in through NAT and out
etc.
PFLOG on FW2:
Aug 19 13:04:47.751613 rule 12/(match) pass in on ste0: 11.11.0.1.57976
> 12.12.0.2.1723: S 3537467063:3537467063(0) win 64512 <mss
1460,nop,nop,sackOK>
Aug 19 13:04:47.751671 rule 14/(match) pass out on ste1: 11.11.0.1.57976
> 12.12.0.2.1723: S 3537467063:3537467063(0) win 64512 <mss
1460,nop,nop,sackOK>
Aug 19 13:04:47.764918 rule 13/(match) pass in on ste0: call 33767 seq 0
gre-ppp-payload (gre encap)
Aug 19 13:04:47.764952 rule 15/(match) pass out on ste1: call 33767 seq
0 gre-ppp-payload (gre encap)
no further log entries are generated and the VPN is up and running.
Now if I change FW1 to OBSD 3.7 current, i.e. same as FW2 and create the
equivalent rule base I get the following on FW2 yes 2 not 1
Aug 19 13:10:03.780470 rule 12/(match) pass in on ste0: 11.11.0.1.56938
> 12.12.0.2.1723: S 2521589832:2521589832(0) win 64512 <mss
1460,nop,nop,sackOK>
Aug 19 13:10:03.780529 rule 14/(match) pass out on ste1: 11.11.0.1.56938
> 12.12.0.2.1723: S 2521589832:2521589832(0) win 64512 <mss
1460,nop,nop,sackOK>
Aug 19 13:10:03.793545 rule 13/(match) pass in on ste0: call 33767 seq 0
gre-ppp-payload (gre encap)
Aug 19 13:10:03.793579 rule 15/(match) pass out on ste1: call 33767 seq
0 gre-ppp-payload (gre encap)
Aug 19 13:10:03.795089 rule 16/(match) block in on ste1: call 16384 seq
0 ack 0 gre-ppp-payload (gre encap)
Aug 19 13:10:03.795142 rule 16/(match) block in on ste1: call 16384 seq
1 gre-ppp-payload (gre encap)
Aug 19 13:10:05.794048 rule 16/(match) block in on ste1: call 16384 seq
2 ack 1 gre-ppp-payload (gre encap)
Aug 19 13:10:05.797300 rule 16/(match) block in on ste1: call 16384 seq
3 gre-ppp-payload (gre encap)
Aug 19 13:10:06.575114 rule 16/(match) block in on ste1: call 16384 seq
4 ack 2 gre-ppp-payload (gre encap)
As you can see the newly OBSD FW1 is allowing the same traffic out as
the Linux box however for some reason FW2 no longer correctly tracks the
state of the GRE service instead seeing it as a new connection and
dropping the packets.
Just to confirm the PF rules on FW2 where not changed, simply changing
FW1 breaks FW2.
Has anyone any clue why this is happening?
Many thanks in advance.
Simon
PF Rules from FW1:
set optimization Normal
scrub in all fragment reassemble no-df
scrub out all random-id max-mss 1460
nat on xl1 proto {tcp udp icmp} from 10.190.0.0/16 to any -> 11.11.0.1
table <id43060240.1> { 10.190.70.66 , 11.11.0.1 }
table <id43060369.1> { 10.190.70.66 , 11.11.0.1 , 127.0.0.1 }
table <id430603B8.2> { 11.11.0.2 , 11.11.0.10 , 12.12.0.1 }
pass out quick on xl0 inet from <id43060240.1> to any keep state
label "RULE 0 -- ACCEPT "
block in log quick on xl1 inet from <id43060240.1> to any label
"RULE 0 -- DROP " block in log quick on xl1 inet from 10.190.0.0/16
to any label "RULE 0 -- DROP "
pass out log quick on xl1 inet from <id43060240.1> to any keep
state label "RULE 1 -- ACCEPT "
pass in quick on lo inet from <id43060369.1> to any keep state
label "RULE 0 -- ACCEPT " pass out quick on lo inet from
<id43060369.1> to any keep state label "RULE 0 -- ACCEPT "
pass in log quick inet proto tcp from 10.190.0.0/16 to
<id43060240.1> port 22 flags S/SA keep state label "RULE 0 -- ACCEPT "
pass in log quick inet proto tcp from 10.190.0.0/16 to
<id430603B8.2> port 22 flags S/SA keep state label "RULE 0 -- ACCEPT "
pass out log quick inet proto tcp from 10.190.0.0/16 to
<id430603B8.2> port 22 flags S/SA keep state label "RULE 0 -- ACCEPT "
block in quick inet from any to <id43060240.1> label "RULE 1 -- DROP "
pass in log quick inet proto 47 from 10.190.0.0/16 to 11.11.0.10
keep state label "RULE 3 -- ACCEPT " pass out log quick inet proto
47 from 10.190.0.0/16 to 11.11.0.10 keep state label "RULE 3 -- ACCEPT "
pass in log quick inet proto tcp from 10.190.0.0/16 to 11.11.0.10
port 1723 flags S/SA keep state label "RULE 4 -- ACCEPT " pass out
log quick inet proto tcp from 10.190.0.0/16 to 11.11.0.10 port 1723
flags S/SA keep state label "RULE 4 -- ACCEPT "
block in quick inet from any to any label "RULE 5 -- DROP " block
out quick inet from any to any label "RULE 5 -- DROP "
PF Rules from FW2
set optimization Normal
scrub in all fragment reassemble no-df
scrub out all random-id max-mss 1460
rdr on ste0 proto 47 from any to 11.11.0.10 -> 12.12.0.2
rdr on ste0 proto tcp from any to 11.11.0.10 port 1723 -> 12.12.0.2 port
1723
nat on ste0 proto {tcp udp icmp} from 12.12.0.2 to any -> 11.11.0.10
nat on ste0 proto {tcp udp icmp} from 12.12.0.0/16 to any -> 11.11.0.2
table <id43060275.1> { 127.0.0.1 , 11.11.0.2 , 11.11.0.10 , 12.12.0.1 }
table <id430602AB.1> { 11.11.0.2 , 11.11.0.10 , 12.12.0.1 }
table <id430601F9.1> { 10.190.70.66 , 11.11.0.1 }
pass in quick on lo inet from <id43060275.1> to any keep state
label "RULE 0 -- ACCEPT " pass out quick on lo inet from
<id43060275.1> to any keep state label "RULE 0 -- ACCEPT "
block in log quick on ste0 inet from <id430602AB.1> to any label
"RULE 0 -- DROP " block in log quick on ste0 inet from 12.12.0.0/16
to any label "RULE 0 -- DROP "
pass out quick on ste0 inet from <id430602AB.1> to any keep state
label "RULE 1 -- ACCEPT "
pass out quick on ste1 inet from <id430602AB.1> to any keep state
label "RULE 0 -- ACCEPT "
pass in log quick inet proto tcp from <id430601F9.1> to
<id430602AB.1> port 22 flags S/SA keep state label "RULE 0 -- ACCEPT "
block in log quick inet from any to <id430602AB.1> label "RULE 1
-- DROP "
pass in log quick inet proto tcp from any to 12.12.0.2 port 1723
flags S/SA keep state label "RULE 3 -- ACCEPT " pass in log quick
inet proto 47 from any to 12.12.0.2 keep state label "RULE 3 --
ACCEPT " pass out log quick inet proto tcp from any to 12.12.0.2
port 1723 flags S/SA keep state label "RULE 3 -- ACCEPT " pass out
log quick inet proto 47 from any to 12.12.0.2 keep state label "RULE
3 -- ACCEPT "
block in log quick inet from any to any label "RULE 4 -- DROP "
block out log quick inet from any to any label "RULE 4 -- DROP "
More information about the IOM
mailing list