Discussion:
allowing gre through 3.0 firewall
meeps
2002-06-30 22:03:55 UTC
Permalink
hello, have seen this issue touched on elsewhere but never resolved. am
trying to connecto to our corporate pptp server on the internet using my xp
client behind my 3.0 firewall.

192.168.168.2 --> openBSD firewall (pf and nat running) --> corporate pptp
server

would appear that i need to pass gre packets into the 192 client, is this
correct? if so, can someone tell me how to set this up in pf.conf and or
nat.conf? thanks...
Marco Peereboom
2002-07-01 22:10:57 UTC
Permalink
Upgrading to 3.1 was well worth the time to get this to work.

I save all my config and other important files and reinstalled the system.
Coppied back all the important stuff and my box was up and running in
minutes with exactly the same config.

Added the following line to pf.conf
pass out on $ExtIF inet proto gre all keep state
And life was good again!

/marco

----- Original Message -----
From: "meeps" <***@charter.net>
To: <***@openbsd.org>
Sent: Sunday, June 30, 2002 17:03
Subject: allowing gre through 3.0 firewall
Post by meeps
hello, have seen this issue touched on elsewhere but never resolved. am
trying to connecto to our corporate pptp server on the internet using my xp
client behind my 3.0 firewall.
192.168.168.2 --> openBSD firewall (pf and nat running) --> corporate pptp
server
would appear that i need to pass gre packets into the 192 client, is this
correct? if so, can someone tell me how to set this up in pf.conf and or
nat.conf? thanks...
meeps
2002-07-01 23:43:23 UTC
Permalink
Ok, I've even tried this in my pf.conf file,

pass in all
pass out all

and *still* can't pptp through my 3.0 firewall to my corporate pptp server,
from tcpdump it would appear there is still a problem passing gre, is there
something im blatantly missing here? is there a problem with the version of
pf included in 3.0?? thanks...

----- Original Message -----
From: "Marco Peereboom" <***@peereboom.us>
To: "meeps" <***@charter.net>; <***@openbsd.org>
Sent: Monday, July 01, 2002 5:10 PM
Subject: Re: allowing gre through 3.0 firewall
Post by Marco Peereboom
Upgrading to 3.1 was well worth the time to get this to work.
I save all my config and other important files and reinstalled the system.
Coppied back all the important stuff and my box was up and running in
minutes with exactly the same config.
Added the following line to pf.conf
pass out on $ExtIF inet proto gre all keep state
And life was good again!
/marco
----- Original Message -----
Sent: Sunday, June 30, 2002 17:03
Subject: allowing gre through 3.0 firewall
Post by meeps
hello, have seen this issue touched on elsewhere but never resolved. am
trying to connecto to our corporate pptp server on the internet using my
xp
Post by meeps
client behind my 3.0 firewall.
192.168.168.2 --> openBSD firewall (pf and nat running) --> corporate pptp
server
would appear that i need to pass gre packets into the 192 client, is this
correct? if so, can someone tell me how to set this up in pf.conf and or
nat.conf? thanks...
Robert Schwartz
2002-07-02 00:22:42 UTC
Permalink
Post by meeps
Ok, I've even tried this in my pf.conf file,
pass in all
pass out all
and *still* can't pptp through my 3.0 firewall to my
corporate pptp server, from tcpdump it would appear there is
still a problem passing gre, is there something im blatantly
missing here? is there a problem with the version of pf
included in 3.0?? thanks...
----- Original Message -----
Sent: Monday, July 01, 2002 5:10 PM
Subject: Re: allowing gre through 3.0 firewall
Post by Marco Peereboom
Upgrading to 3.1 was well worth the time to get this to work.
I think this is sage advice. IIRC prior to 3.1 there were a few issues
around routing gre. First, with ipforwarding enabled, the router
rightly thinks Generic Routing and Encapsulation packets belong to it.
Second pf couldn't statefully filter non-tcp/udp protocols. Now it can.

Make a custom kernel without GRE support. To do this edit
/usr/src/sys/conf/GENERIC not /usr/src/sys/arch/i386/conf/GENERIC. This
should allow gre to be passed for 3.0.

That being said, you can't statefully filter these packets. You will
need to have a pass in gre all pass out gre all rule in there. 3.1 is
much better, rebuild to 3.1 stable, should only take a few hours of
playing tetris/solitair/minesweeper/mumbleypeg and you're frustration
level will go down as the quality of your system binaries goes up.
Daniel Hartmeier
2002-07-02 00:25:48 UTC
Permalink
Post by meeps
pass in all
pass out all
and *still* can't pptp through my 3.0 firewall to my corporate pptp server,
from tcpdump it would appear there is still a problem passing gre, is there
something im blatantly missing here? is there a problem with the version of
pf included in 3.0?? thanks...
There might be IP options on those packets, which pf blocks by default.
Try 'pass ... allow-opts', and if that solves it, add 'allow-opts' to
the smallest subset of rules (passing GRE) of your real rule set.

Daniel

Loading...