(sorry if I''ve send this message twice, I wasn''t subscribed to mailing list prior to first one) Hi All, I am using shorewall 4.4.26.1 with pptp server. As you probably know, pptp server creates separate pppX interface per client connection. I am able to establish client connections to server, but the problem is - I can''t get routing between pptp clients to work. Example: I''ve connected two PC''s with assigned IP''s 10.0.0.2 and 10.0.0.3. When I am trying to ping one client from another - I am getting following messages: Aug 27 20:39:42 gserver kernel: [27639.468208] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=1 Aug 27 20:39:43 gserver kernel: [27640.469536] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=2 Aug 27 20:39:44 gserver kernel: [27641.470040] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=3 Aug 27 20:39:45 gserver kernel: [27642.470050] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=4 When I am changing all to all policy from default "all all REJECT" to "all all ACCEPT" - problem disappears, but I don''t think, that allowing all to all traffic is good idea.>From what I understand, somehow my pptp network isn''t mapped to vpn zone incase, where source and destination are pppX interfaces. (My goal is to have pptp clients fully separated from local network, but I need routing between them) Shorewall configuration: /etc/shorewall/interfaces: loc eth0 detect tcpflags,routefilter net eth1 detect tcpflags,dhcp,routefilter vpn ppp+ /etc/shorewall/zones: fw firewall loc ipv4 net ipv4 vpn ipv4 /etc/shorewall/tunnels: pptpserver loc 0.0.0.0/0 (ultimately I would like to use pptp server from physical "loc" and "net" zones simultaneously, but for testing, I am initiating pptp client connections from "loc" zone. Anyway, it seems, it doesn''t matter, which zone I am defining here, I was defining "net" here, and was able to establish connection from "loc".) /etc/shorewall/policy: $FW loc ACCEPT $FW net ACCEPT $FW vpn ACCEPT $FW all REJECT info loc $FW ACCEPT loc net ACCEPT loc vpn REJECT info loc all REJECT info net $FW DROP net loc DROP net vpn DROP net all DROP vpn $FW ACCEPT vpn loc REJECT info vpn net ACCEPT vpn all REJECT info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info pptpd configuration: logwtmp localip 10.0.0.1 remoteip 10.0.0.2-254 My network setup is next: eth0 - local network 192.168.0.0/255.255.255.0 eth1 - internet provider, dhcp Shorewall dump is attached (dump was taken right after unsuccessful ping attempts between clients). (To configure pptp I was using http://www.shorewall.net/PPTP.htm howto, from what I see, this isn''t maintained for a long time, but everything works except mentioned issue). Please let me know, what I am doing wrong, I have spend a lot of time trying to resolve my problem, but can''t find appropriate info anywhere on the net, it seems that the only source of information for pptp+shorewall is unmaintained pptp howto, other sources just use configuration from there. -- Best Regards, Hennadiy Brych -- Best Regards, Hennadiy Brych ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
(disabled html formatting, should be fine now) Hi All, I am using shorewall 4.4.26.1 with pptp server. As you probably know, pptp server creates separate pppX interface per client connection. I am able to establish client connections to server, but the problem is - I can''t get routing between pptp clients to work. Example: I''ve connected two PC''s with assigned IP''s 10.0.0.2 and 10.0.0.3. When I am trying to ping one client from another - I am getting following messages: Aug 27 20:39:42 gserver kernel: [27639.468208] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=1 Aug 27 20:39:43 gserver kernel: [27640.469536] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=2 Aug 27 20:39:44 gserver kernel: [27641.470040] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=3 Aug 27 20:39:45 gserver kernel: [27642.470050] Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=6141 SEQ=4 When I am changing all to all policy from default "all all REJECT" to "all all ACCEPT" - problem disappears, but I don''t think, that allowing all to all traffic is good idea.>From what I understand, somehow my pptp network isn''t mapped to vpnzone in case, where source and destination are pppX interfaces. (My goal is to have pptp clients fully separated from local network, but I need routing between them) Shorewall configuration: /etc/shorewall/interfaces: loc eth0 detect tcpflags,routefilter net eth1 detect tcpflags,dhcp,routefilter vpn ppp+ /etc/shorewall/zones: fw firewall loc ipv4 net ipv4 vpn ipv4 /etc/shorewall/tunnels: pptpserver loc 0.0.0.0/0 (ultimately I would like to use pptp server from physical "loc" and "net" zones simultaneously, but for testing, I am initiating pptp client connections from "loc" zone. Anyway, it seems, it doesn''t matter, which zone I am defining here, I was defining "net" here, and was able to establish connection from "loc".) /etc/shorewall/policy: $FW loc ACCEPT $FW net ACCEPT $FW vpn ACCEPT $FW all REJECT info loc $FW ACCEPT loc net ACCEPT loc vpn REJECT info loc all REJECT info net $FW DROP net loc DROP net vpn DROP net all DROP vpn $FW ACCEPT vpn loc REJECT info vpn net ACCEPT vpn all REJECT info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info pptpd configuration: logwtmp localip 10.0.0.1 remoteip 10.0.0.2-254 My network setup is next: eth0 - local network 192.168.0.0/255.255.255.0 eth1 - internet provider, dhcp Shorewall dump is attached (dump was taken right after unsuccessful ping attempts between clients). (To configure pptp I was using http://www.shorewall.net/PPTP.htm howto, from what I see, this isn''t maintained for a long time, but everything works except mentioned issue). Please let me know, what I am doing wrong, I have spend a lot of time trying to resolve my problem, but can''t find appropriate info anywhere on the net, it seems that the only source of information for pptp+shorewall is unmaintained pptp howto, other sources just use configuration from there. -- Best Regards, Hennadiy Brych ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/27/2012 11:57 AM, Hennadiy Brych wrote:> (disabled html formatting, should be fine now) > Hi All, > > I am using shorewall 4.4.26.1 with pptp server. > > As you probably know, pptp server creates separate pppX interface per > client connection. > I am able to establish client connections to server, but the problem > is - I can''t get routing between pptp clients to work. > > Example: > I''ve connected two PC''s with assigned IP''s 10.0.0.2 and 10.0.0.3. > When I am trying to ping one client from another - I am getting > following messages: > Aug 27 20:39:42 gserver kernel: [27639.468208] > Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 > DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP > TYPE=8 CODE=0 ID=6141 SEQ=1 > Aug 27 20:39:43 gserver kernel: [27640.469536] > Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 > DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP > TYPE=8 CODE=0 ID=6141 SEQ=2 > Aug 27 20:39:44 gserver kernel: [27641.470040] > Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 > DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP > TYPE=8 CODE=0 ID=6141 SEQ=3 > Aug 27 20:39:45 gserver kernel: [27642.470050] > Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 > DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP > TYPE=8 CODE=0 ID=6141 SEQ=4 >Hint: Shorewall FAQ 17 (http://www.shorewall.net/FAQ.htm#faq17). You need the ''routeback'' option on the ppp+ entry in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/28/2012 04:57 AM, Hennadiy Brych wrote:> (disabled html formatting, should be fine now) > Hi All, > > I am using shorewall 4.4.26.1 with pptp server.BTW, it''s not related to your question, but PPTP is now considered completely broken as a VPN. You should begin planning a move to OpenVPN or IPsec as soon as possible. See http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 for more info. Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom, thank you very much! Silly me, somehow I managed to miss FAQ17 wildcard info (I read it, but note "This option does not work with a wild-card interface name" on routefilter, which should be used with routeback totally mislead me, and sfilter parameter was somehow not clear to me). Everything is working now, in case someone will have same problem, here''s my final /etc/shorewall/interfaces: loc eth0 detect tcpflags,routefilter net eth1 detect tcpflags,dhcp,routefilter vpn ppp+ detect sfilter=192.168.0.0/24,routeback On Mon, Aug 27, 2012 at 10:33 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 08/27/2012 11:57 AM, Hennadiy Brych wrote: >> (disabled html formatting, should be fine now) >> Hi All, >> >> I am using shorewall 4.4.26.1 with pptp server. >> >> As you probably know, pptp server creates separate pppX interface per >> client connection. >> I am able to establish client connections to server, but the problem >> is - I can''t get routing between pptp clients to work. >> >> Example: >> I''ve connected two PC''s with assigned IP''s 10.0.0.2 and 10.0.0.3. >> When I am trying to ping one client from another - I am getting >> following messages: >> Aug 27 20:39:42 gserver kernel: [27639.468208] >> Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 >> DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP >> TYPE=8 CODE=0 ID=6141 SEQ=1 >> Aug 27 20:39:43 gserver kernel: [27640.469536] >> Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 >> DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP >> TYPE=8 CODE=0 ID=6141 SEQ=2 >> Aug 27 20:39:44 gserver kernel: [27641.470040] >> Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 >> DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP >> TYPE=8 CODE=0 ID=6141 SEQ=3 >> Aug 27 20:39:45 gserver kernel: [27642.470050] >> Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp1 MAC= SRC=10.0.0.2 >> DST=10.0.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP >> TYPE=8 CODE=0 ID=6141 SEQ=4 >> > > Hint: Shorewall FAQ 17 (http://www.shorewall.net/FAQ.htm#faq17). You > need the ''routeback'' option on the ppp+ entry in /etc/shorewall/interfaces. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Best Regards, Hennadiy Brych ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Paul, Thanks for tip, I''ll look into OpenVPN. I''ve selected pptp, because it''s very easy to configure windows clients without additional software, and using default settings. It''s home server, connection encryption is not that important. What I need, is to have central point for connecting myself and other people, and be in same network (we were using Hamachi windows software earlier, but it''s more complicated to install comparing to windows vpn connection creation + it''s paid, if you need to have more than 4 people in one group). But I could have pptp and openvpn simultaneously, will see how that''ll work. On Mon, Aug 27, 2012 at 11:46 PM, Paul Gear <paul@gear.dyndns.org> wrote:> On 08/28/2012 04:57 AM, Hennadiy Brych wrote: >> (disabled html formatting, should be fine now) >> Hi All, >> >> I am using shorewall 4.4.26.1 with pptp server. > > BTW, it''s not related to your question, but PPTP is now considered > completely broken as a VPN. You should begin planning a move to OpenVPN > or IPsec as soon as possible. See > http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 for more info. > > Paul > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Best Regards, Hennadiy Brych ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/28/2012 07:48 AM, Hennadiy Brych wrote:> Paul, > > Thanks for tip, I''ll look into OpenVPN. > I''ve selected pptp, because it''s very easy to configure windows > clients without additional software, and using default settings. > It''s home server, connection encryption is not that important. What I > need, is to have central point for connecting myself and other people, > and be in same network (we were using Hamachi windows software > earlier, but it''s more complicated to install comparing to windows vpn > connection creation + it''s paid, if you need to have more than 4 > people in one group). > ... > On Mon, Aug 27, 2012 at 11:46 PM, Paul Gear <paul@gear.dyndns.org> wrote: >> ... >> BTW, it''s not related to your question, but PPTP is now considered >> completely broken as a VPN. You should begin planning a move to OpenVPN >> or IPsec as soon as possible. See >> http://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 for more info.Hi Hennadiy, Please note that it''s not the encryption that is the broken part - it''s the authentication process. That may affect your choice about what to do. Regards, Paul ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/