|
|||
PF Blocking VPN Traffic
Hello all,
I am having difficulty allowing VPN traffic to pass through my firewall. I have tried various combination's with the below being my latest. Code:
pass on $ext_if proto esp from any to any pass on $ext_if proto udp from any to any port {isakmp, ipsec-nat-t} pass on $int_if proto esp from any to any pass on $int_if proto udp from any to any port {isakmp, ipsec-nat-t} Hope someone can assist. Thanks! |
|
|||
You can assist your self by using a block log all default policy and then use tcpdump on the pflog0 device to see which packets are being blocked .
Code:
# tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
A VPN could be built with gre and PPTP, but this is not generally done when you use ESP, one of the IPSEC protocols.
Way back in 2004 on bsdforums.org I assisted Dachozenone with a pf.conf for a VPN using ESP. http://74.125.77.132/bsd?q=cache:tsI...&hl=en&strip=1 The secret is to allow enc0 traffic and UDP port 500.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Hello J65nko
I have realized my error (I think) Since I am not actually hosting the VPN on the OpenBSD box the traffic coming to it is not actually "VPN" but standard traffic at that point. I added a rule to permit the IP address block for the VPN users and traffic flowed. I am curious if this is the best way to do this. IF someone where somehow able to "spoof" the source IP of the VPN traffic would they be permitted in then? My network looks something like this: [firewall w/ VPN] <--> [OpenBSD FW] <-> rest of network Thanks |
|
|||
If your firewall VPN uses certificates or public key authentication and tightly filters the non-VPN traffic I don't think you have to worry about that.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
hmm... alright well I presume it is filtering correctly via rules and also NAT is enabled.
Thank you for your help. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
See what process is generating DNS traffic? | Bruco | FreeBSD General | 3 | 2nd July 2009 05:57 PM |
Dynamic Traffic Shaping | LordZ | OpenBSD Security | 6 | 19th January 2009 04:30 PM |
Firewall Blocking Good Traffic | plexter | OpenBSD Security | 6 | 8th January 2009 05:58 PM |
PF Blocking | schrodinger | OpenBSD Security | 6 | 6th October 2008 10:33 PM |
Suggestions for Web Traffic Logging? | Bruco | FreeBSD Ports and Packages | 16 | 18th September 2008 10:54 PM |