[ previous ] [ next ] [ threads ]
 
 From:  Andre Maoro <andre at maoro dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] OpenVPN major issues
 Date:  Tue, 26 Oct 2004 19:01:08 +0200
---Sorry, last mail came back because it was to large---

Allright, here is the output. I also attached a screenshot of my rules ;)
This is my current configuration, but as I said, I tried more than this *g*
Oh, nearly forgot: "Home" is my OpenVPN client interface...

Greets,
Andre

----
*ipnat rules*

map de1 192.168.101.0/24 -> 0/32 proxy port ftp ftp/tcp
map de1 192.168.101.0/24 -> 0/32 portmap tcp/udp auto
map de1 192.168.101.0/24 -> 0/32
map de1 0.0.0.0/0 -> 0/32 proxy port ftp ftp/tcp
map de1 0.0.0.0/0 -> 0/32 portmap tcp/udp auto
map de1 0.0.0.0/0 -> 0/32
map de1 192.168.101.16/28 -> 0/32 proxy port ftp ftp/tcp
map de1 192.168.101.16/28 -> 0/32 portmap tcp/udp auto
map de1 192.168.101.16/28 -> 0/32

# PPTP
rdr de1 0/0 port 0 -> 127.0.0.1 port 0 gre
rdr de1 0/0 port 1723 -> 127.0.0.1 port 1723 tcp

------------------------------------------------------------------------------------------------------

*ipf rules*

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on de0 proto udp from any port = 68 to 255.255.255.255 
port = 67
pass in quick on de0 proto udp from any port = 68 to 192.168.101.254 
port = 67
pass out quick on de0 proto udp from 192.168.101.254 port = 67 to any 
port = 68

# WAN spoof check
block in log quick on de1 from 192.168.101.0/24 to any
block in log quick on de1 from 0.0.0.0/0 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on de1 proto udp from any port = 68 to any port = 67
block in log quick on de1 proto udp from any port = 67 to 
192.168.101.0/24 port = 68
pass in quick on de1 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast 
addresses)
block in log quick on de0 from ! 192.168.101.0/24 to any
block in log quick on tap1 from ! 0.0.0.0/0 to any

# block anything from private networks on WAN interface
block in log quick on de1 from 10.0.0.0/8 to any
block in log quick on de1 from 127.0.0.0/8 to any
block in log quick on de1 from 172.16.0.0/12 to any
block in log quick on de1 from 192.168.0.0/16 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on de0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on de0 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on de1 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on de1 all keep state

#---------------------------------------------------------------------------
# group head 300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on tap1 all head 300

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on tap1 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.101.0/24 to 192.168.101.254 keep state group 100

# PPTP rules
pass in quick proto gre from any to 127.0.0.1 keep state group 200
pass in quick proto tcp from any to 127.0.0.1 port = 1723 keep state 
group 200

# User-defined rules follow
pass in quick proto udp from any to any port = 5001 keep state keep 
frags group 200
pass in quick from any to any keep state group 300
pass in quick from 192.168.101.0/24 to any keep state group 100

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all
------------------------------------------------------------------------
*ipf rules*

add 50000 set 4 pass all from 192.168.101.254 to any
add 50001 set 4 pass all from any to 192.168.101.254
----



Vincent Fleuranceau schrieb:

> -------- Original Message --------
>
>> Hi Vincent!
>>
>> Your script doesn't seem to work with the new m0n0wall release (1.2b2).
>> I get following error message, when I try to open the script:
>> "500 Internal Error
>
>
> It works here with 1.2b2 ;-)
>
> This is because it must have the Unix encoding (ends of lines) and it 
> seems my Mozilla e-mail client breaks such things when I attach files...
>
> I've attached a ZIP version that prevents the issue from happening. 
> Try this, if you can open the ZIP file...
>
> If you can't and are on a Unix platform, try to open + save the file 
> in a decent editor which lets you specify the encoding you want. I use 
> Jext (from www.jext.org) on Windows. There must be conversion tools, too.
>
> Regards,
>
> -- Vincent
>