[pptp-server] strange packets rejected by my firewall

[Jerry Vonau]

Jeff:


Jeff Shanholtz wrote:
> 
> Jerry, you forgot to reply to the list, so I'm bringing this back
> on-list.
> 
> The client (my work computer) is XP and it only has one nic, but it just
> occurred to me when I started this reply that the client runs VMware, so
> perhaps one or both of the addresses I mentioned are coming from it's
> virtual nic(s). My work's subnet is 192.168.100.0, so it must be VMware.
> I'll have to check to see what IP's are involved with Vmware tomorrow
> when I'm at work. I'll post back to the list when I find out...

That makes sense to me.


> BTW, to answer your questions, my vpn server isn't assigning a gateway
> to the client, so that shouldn't be an issue.

That does not prevent the "use default gateway on remote" from being
tick
in the advance properties on the client. That routes all traffic up the
tunnel.

> And here are the relevant
> logs from ipchains (eth0 is my internal card and 192.168.0.245 is the
> address assigned to the vpn client). I don't see much relevance to
> detailing my firewall rules because my problem isn't in configuring my
> firewall (I could easily enable this traffic if necessary), plus there
> are just too many rules (it's based on David Ranch's TrinityOS script).

I like David Ranch's stuff, used alot of his examples, except that I
group 
the rules by services required instead of input output. Makes for an
easier
read when you haven't looked at it for a few months. Just my preference.

Why I was asking about the firewall script because that traffic should
be 
rejected at the ppp interface, the internal nic should not even see that
traffic. If your doing something like:

/sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s 0/0 -d 0/0 

then all the traffic is allowed to pass. I use:

/sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN

just the lan traffic is allowed to pass, and the rejects are tied to the 
ppp interface involved. Just my thoughts..

Jerry Vonau