[pptp-server] strange packets rejected by my firewall

[Jeff Shanholtz]

Turns out it's really VMware on a machine in my internal LAN, not on the
vpn client (I forgot VMware was even installed there).

> > BTW, to answer your questions, my vpn server isn't assigning a
gateway
> > to the client, so that shouldn't be an issue.
> 
> That does not prevent the "use default gateway on remote" from being
> tick
> in the advance properties on the client. That routes all traffic up
the
> tunnel.

Really? If the vpn client *knows* that there is no remote gateway
(because poptop tells it there is no gateway), it surprises me that a
route would be set up for it. At any rate, I do have that option
unchecked on the client.

Thanks for your help, even though it was mostly just a matter of
figuring it out by thinking out loud.

-----Original Message-----
From: pptp-server-admin at lists.schulte.org
[mailto:pptp-server-admin at lists.schulte.org] On Behalf Of Jerry Vonau
Sent: Sunday, October 21, 2001 5:25 PM
To: Jeff Shanholtz
Cc: 'PoPToP List'
Subject: Re: [pptp-server] strange packets rejected by my firewall


Jeff:


Jeff Shanholtz wrote:
> 
> Jerry, you forgot to reply to the list, so I'm bringing this back
> on-list.
> 
> The client (my work computer) is XP and it only has one nic, but it
just
> occurred to me when I started this reply that the client runs VMware,
so
> perhaps one or both of the addresses I mentioned are coming from it's
> virtual nic(s). My work's subnet is 192.168.100.0, so it must be
VMware.
> I'll have to check to see what IP's are involved with Vmware tomorrow
> when I'm at work. I'll post back to the list when I find out...

That makes sense to me.


> BTW, to answer your questions, my vpn server isn't assigning a gateway
> to the client, so that shouldn't be an issue.

That does not prevent the "use default gateway on remote" from being
tick
in the advance properties on the client. That routes all traffic up the
tunnel.

> And here are the relevant
> logs from ipchains (eth0 is my internal card and 192.168.0.245 is the
> address assigned to the vpn client). I don't see much relevance to
> detailing my firewall rules because my problem isn't in configuring my
> firewall (I could easily enable this traffic if necessary), plus there
> are just too many rules (it's based on David Ranch's TrinityOS
script).

I like David Ranch's stuff, used alot of his examples, except that I
group 
the rules by services required instead of input output. Makes for an
easier
read when you haven't looked at it for a few months. Just my preference.

Why I was asking about the firewall script because that traffic should
be 
rejected at the ppp interface, the internal nic should not even see that
traffic. If your doing something like:

/sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s 0/0 -d 0/0 

then all the traffic is allowed to pass. I use:

/sbin/ipchains -A input -j ACCEPT -i ppp+ -b -s $INTLAN -d $INTLAN

just the lan traffic is allowed to pass, and the rejects are tied to the

ppp interface involved. Just my thoughts..

Jerry Vonau
_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
--- To unsubscribe, go to the url just above this line. --