[ previous ] [ next ] [ threads ]
 From:  Brett <monoinfo at slick dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  PPTP and port blocking / restricting - defnitive answer
 Date:  Thu, 23 Dec 2004 18:09:48 -0800
I offer great praise to the person who can answer my questions definitively!

I read the FAQ and many threads in the archive and can't seem to get a 
definitive answer that is consistent with my results.  I want to use the 
built-in PPTP server but I want to disable access to certain interfaces 
(specifically the WAN interface). 

I am running version * 1.11, *built on Thu Nov 11 23:02:41 CET 2004.

The FAQ at http://m0n0.ch/wall/docbook/faq-limitpptp.html reads, 
"Configure your firewall rules on the WAN interface permitting TCP 1723 
only from hosts you want to use PPTP.".  This suggestion is supported by 
several postings in the archive. 

I added these rules (and various flavors of these rules) to my "WAN 

1: BLOCK proto TCP, src: *, port: *, dest: *, port: 1723
2: BLOCK proto GRE, src: *, port: *, dest: *, port: *

When I do a remote scan of the WAN interface, TCP port 1723 is open.  I 
have tried changing the dest address to the WAN interface address with 
the same results.  At one point I used a sledge hammer and blocked 
everything - 1723 was still open.

When I look at the status.php page, I see something that looks like port 
1723 is getting redirected even before my first blocking rule is 
considered.  I did not add this rule - it would have to be something 
that m0n0wall adds by default.  I am not sure if this might be the 
source of the problem (if it is, I am not sure what I can do about it).

Okay, my questions with the promise of "great praise" for the definitive 

1.  Is it possible to enable the PPTP server and disable access on a 
specific interface (either through port blocking or otherwise).

2.  If the answer to #1 is yes, how or what rule(s) should be added?  
Please be explicit, not just "block 1723" (even if your response treats 
me like an idiot, I will praise you if it helps!). 

3.  If the answer to #1 is no, who do I need to contact to update the 
FAQ.  Hopefully this thread will correct any confusion from earlier posts.

And a few comments... I really like m0n0wall so far.. easy to setup, no 
hard drive, good basic functionality and a great price.  I am not a big 
fan of the "behind the scenes" rules (any rule that is added without it 
being listed on the rules page) - I think they create an unnecessary 
security risk.  I would prefer to see a feature on the PPTP setup page 
that would add the rule for you (with a confirmation) to make it easy 
for the average user, but then the rule would be visible on the rules 

Thanks in advance to anybody that helps with this!


And just to help make this thread a good reference, some links to other 
threads on this subject: