I have a Bering leaf 1.2 firewall. I''m trying to allow PCs in the internal network to connect to a external pptp server. I have the following kernel modules loaded ip_nat_proto_gre 1012 0 (unused) ip_nat_h323 2656 0 (unused) ip_nat_irc 2176 0 (unused) ip_nat_ftp 2784 0 (unused) ip_conntrack_pptp 2124 1 ip_conntrack_proto_gre 1728 0 [ip_conntrack_pptp] ip_conntrack_h323 2336 3 ip_conntrack_irc 2880 0 (unused) ip_conntrack_ftp 3648 0 (unused) I have ip_nat_pptp set to load on boot as well but when it loads it comes up with Input/output error I don''t know if this is significant. and I have also added ip_conntrack_proto_gre ip_conntrack_pptp ip_nat_proto_gre ip_nat_pptp to the shorewall modules file but I have not added any rules to shorewall for the pptp connections. When they try to connect to the pptp server with a client it authenticates on the server but I then get the following errors in shorewall and the client fails to connect. Oct 3 18:42:03 firewall Shorewall:net2all:DROP: IN=eth0 OUTMAC=00:40:f4:18:30:7f:ff:40:f5:77:57:e7:08:00 SRC=203.88.65.186 DST=203.113.155.73 LEN=65 TOS=00 PREC=0x00 TTL=55 ID=55841 DF PROTO=47 Oct 3 18:42:04 firewall Shorewall:net2all:DROP: IN=eth0 OUTMAC=00:40:f4:18:30:7f:ff:40:f5:77:57:e7:08:00 SRC=203.88.65.186 DST=203.113.155.73 LEN=74 TOS=00 PREC=0x00 TTL=55 ID=55842 DF PROTO=47 Where 203.113.155.73 is the external IP address of the firewall and 203.88.65.186 is the pptp server. It looks to me like the firewall is not masqurading the proto 47 pptp connections correctly. Is there something I''m missing? do I have to add any rules to shorewall for the clients or is there a module I''m not loading correctly? -Stephen
On Sun, 5 Oct 2003, Stephen Pritchard wrote:> > I have ip_nat_pptp set to load on boot as well but when it loads it comes > up with Input/output error I don''t know if this is significant. > > and I have also added > > ip_conntrack_proto_gre > ip_conntrack_pptp > ip_nat_proto_gre > ip_nat_pptp > > to the shorewall modules file but I have not added any rules to shorewall > for the pptp connections. >The standard loc->net ACCEPT policy is all you should need.> When they try to connect to the pptp server with a client it authenticates > on the server but I then get the following errors in shorewall and the > client fails to connect. >You had better post on the LEAF list. Those modules are from Patch-O-Matic and are not in the standard kernels. I don''t use them and I can''t help you with problems involving their use. That having been said, I use PPTP every day in my work and the only relevant configuration parameter is the loc->net ACCEPT policy mentioned above (and I don''t build or load any of the modules listed above). -Tom Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net