[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Using m0n0wall as a remote PPTP/VPN server
 Date:  Fri, 3 Jun 2005 21:57:43 -0400
On 6/3/05, Chris Van Vorous <m0unds at speakeasy dot net> wrote:
> 
> Well, I removed the firewall and NAT rules that dealt with the PPTP traffic,
> and instead of getting a blocked GRE protocol message in the firewall, I get
> this:
> 
>  08:38:02.216056WANIP.IP.IP.IP, port 50681IP.IP.IP.IP port 1723TCP
>  08:37:59.203420WANIP.IP.IP.IP, port 50681IP.IP.IP.IP, port 1723TCP
>  08:37:56.692952WANIP.IP.IP.IP, port 50681IP.IP.IP.IP, port 1723TCP
> What do you think would cause the migration from blocking GRE traffic to
> blocking TCP traffic across that port? I was under the impression that
> m0n0's default ruleset was to deny all.
> 

It is, but enabling PPTP automatically opens GRE and 1723 TCP on the
WAN IP with hidden rules (you can see the full ruleset on status.php).

Look at status.php and you should see rules like the following (just
do a search for 1723 to find them quickly):

@1 pass in quick proto gre from any to wan.ip/32 keep state group 200
@2 pass in quick proto tcp from any to wan.ip/32 port = 1723 keep
state group 200

With PPTP enabled, blocked 1723 should be impossible.  You see those
rules there?

-Chris