|
14th January 2009
|
|||
|
|||
PF Blocking VPN Traffic
Hello all,
I am having difficulty allowing VPN traffic to pass through my firewall. I have tried various combination's with the below being my latest. Code:
pass on $ext_if proto esp from any to any
pass on $ext_if proto udp from any to any port {isakmp, ipsec-nat-t}
pass on $int_if proto esp from any to any
pass on $int_if proto udp from any to any port {isakmp, ipsec-nat-t}
Hope someone can assist. Thanks! 
|
|
15th January 2009
|
|||
|
|||
|
You can assist your self by using a block log all default policy and then use tcpdump on the pflog0 device to see which packets are being blocked
 .Code:
# tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|
|
15th January 2009
|
||||
|
||||
|
Doesn't a VPN need protocol gre as well?
|
|
16th January 2009
|
|||
|
|||
|
A VPN could be built with gre and PPTP, but this is not generally done when you use ESP, one of the IPSEC protocols.
Way back in 2004 on bsdforums.org I assisted Dachozenone with a pf.conf for a VPN using ESP. http://74.125.77.132/bsd?q=cache:tsI...&hl=en&strip=1 The secret is to allow enc0 traffic and UDP port 500.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|
|
19th January 2009
|
|||
|
|||
|
Hello J65nko
I have realized my error (I think) Since I am not actually hosting the VPN on the OpenBSD box the traffic coming to it is not actually "VPN" but standard traffic at that point. I added a rule to permit the IP address block for the VPN users and traffic flowed. I am curious if this is the best way to do this. IF someone where somehow able to "spoof" the source IP of the VPN traffic would they be permitted in then? My network looks something like this: [firewall w/ VPN] <--> [OpenBSD FW] <-> rest of network Thanks
|
|
19th January 2009
|
|||
|
|||
|
If your firewall VPN uses certificates or public key authentication and tightly filters the non-VPN traffic I don't think you have to worry about that.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|
|
23rd January 2009
|
|||
|
|||
|
hmm... alright well I presume it is filtering correctly via rules and also NAT is enabled.
Thank you for your help. 
|
 |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| See what process is generating DNS traffic? | Bruco | FreeBSD General | 3 | 2nd July 2009 05:57 PM |
| Dynamic Traffic Shaping | LordZ | OpenBSD Security | 6 | 19th January 2009 04:30 PM |
| Firewall Blocking Good Traffic | plexter | OpenBSD Security | 6 | 8th January 2009 05:58 PM |
| PF Blocking | schrodinger | OpenBSD Security | 6 | 6th October 2008 10:33 PM |
| Suggestions for Web Traffic Logging? | Bruco | FreeBSD Ports and Packages | 16 | 18th September 2008 10:54 PM |
Linear Mode
