[pptp-server] strange packets rejected by my firewall

Jeff Shanholtz jsubs at shanholtz.com
Sun Oct 21 15:16:01 CDT 2001 

Jerry, you forgot to reply to the list, so I'm bringing this back
on-list.

The client (my work computer) is XP and it only has one nic, but it just
occurred to me when I started this reply that the client runs VMware, so
perhaps one or both of the addresses I mentioned are coming from it's
virtual nic(s). My work's subnet is 192.168.100.0, so it must be VMware.
I'll have to check to see what IP's are involved with Vmware tomorrow
when I'm at work. I'll post back to the list when I find out...

BTW, to answer your questions, my vpn server isn't assigning a gateway
to the client, so that shouldn't be an issue. And here are the relevant
logs from ipchains (eth0 is my internal card and 192.168.0.245 is the
address assigned to the vpn client). I don't see much relevance to
detailing my firewall rules because my problem isn't in configuring my
firewall (I could easily enable this traffic if necessary), plus there
are just too many rules (it's based on David Ranch's TrinityOS script).

12:18:55 input   REJECT eth0 PROTO=6  172.16.186.1    :4095
192.168.0.245   :139   L=48   S=0x00 I=32345 F=0x4000 T=128 SYN (#57)
12:18:55 input   REJECT eth0 PROTO=6  192.168.227.1   :4096
192.168.0.245   :139   L=48   S=0x00 I=32346 F=0x4000 T=128 SYN (#57)
12:18:57 input   REJECT eth0 PROTO=6  172.16.186.1    :4099
192.168.0.245   :139   L=48   S=0x00 I=32370 F=0x4000 T=128 SYN (#57)
12:18:57 input   REJECT eth0 PROTO=6  192.168.227.1   :4100
192.168.0.245   :139   L=48   S=0x00 I=32371 F=0x4000 T=128 SYN (#57)
12:19:00 input   REJECT eth0 PROTO=6  172.16.186.1    :4103
192.168.0.245   :139   L=48   S=0x00 I=32399 F=0x4000 T=128 SYN (#57)
12:19:00 input   REJECT eth0 PROTO=6  192.168.227.1   :4104
192.168.0.245   :139   L=48   S=0x00 I=32400 F=0x4000 T=128 SYN (#57)


-----Original Message-----
From: Jerry Vonau [mailto:jvonau at home.com] 
Sent: Saturday, October 20, 2001 10:32 AM
To: Jeff Shanholtz
Subject: Re: [pptp-server] strange packets rejected by my firewall


Jeff:

Just to clear up in my head about what you are describing.
How about a snip from the logs, and sample of the rules that are loaded?
What kind of client is it? 98, 2000, linux? Does the client have 2 nics?

(172.16.186.1:4095 or 192.168.227.1:4096) is this the source address?
Maybe the default gateway on the client is changing to the vpn tunnel
and 
the client has routes setup, forcing that traffic up the tunnel? Sounds 
like the client is routing traffic up the tunnel from its home lan(s?),
but that is just a guess without more info. 

Jerry Vonau





> Jeff Shanholtz wrote:
> 
> When using my VPN, my firewall regularly logs rejected packets that
> arrive on my internal interface (172.16.186.1:4095 or
> 192.168.227.1:4096) destined for the pptp client (192.168.0.245:139).
> My internal network is using the 192.168.0.0 subnet. Does anyone know
> what this traffic is all about? Specifically, why the odd source
> addresses when I don't have machines on my network that are using
> them?

More information about the pptp-server mailing list