> Ok, I've even tried this in my pf.conf file,
>
> pass in all
> pass out all
>
> and *still* can't pptp through my 3.0 firewall to my
> corporate pptp server, from tcpdump it would appear there is
> still a problem passing gre, is there something im blatantly
> missing here? is there a problem with the version of pf
> included in 3.0?? thanks...
>
> ----- Original Message -----
> From: "Marco Peereboom" <slashpeereboom.us>
> To: "meeps" <meepscharter.net>; <miscopenbsd.org>
> Sent: Monday, July 01, 2002 5:10 PM
> Subject: Re: allowing gre through 3.0 firewall
>
>
> > Upgrading to 3.1 was well worth the time to get this to work.
> >

I think this is sage advice. IIRC prior to 3.1 there were a few issues
around routing gre. First, with ipforwarding enabled, the router
rightly thinks Generic Routing and Encapsulation packets belong to it.
Second pf couldn't statefully filter non-tcp/udp protocols. Now it can.

Make a custom kernel without GRE support. To do this edit
/usr/src/sys/conf/GENERIC not /usr/src/sys/arch/i386/conf/GENERIC. This
should allow gre to be passed for 3.0.

That being said, you can't statefully filter these packets. You will
need to have a pass in gre all pass out gre all rule in there. 3.1 is
much better, rebuild to 3.1 stable, should only take a few hours of
playing tetris/solitair/minesweeper/mumbleypeg and you're frustration
level will go down as the quality of your system binaries goes up.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]