Subject: GRE masquerading?
To: None <port-mac68k@netbsd.org>
From: Doug Larrick <doug@ties.org>
List: port-mac68k
Date: 03/23/2000 08:36:16
Hi, first an introduction. I'm Doug Larrick in Massachusetts, and
I've been running NetBSD as my NAT firewall (cable modem) for about a
month now, on my Quadra 650, overclocked to 44 MHz. Internal
network is connected to builtin sonic ethernet; external is an
Asante NuBus card. Works great!
But now, I'm trying to get PPTP working from a machine behind my
firewall so I can "call" in to work. PPTP uses PPP over GRE (Generic
Routing Encapsulation) to do its dirty work.
According to discussion in the ipfilter mailing list archives
(see http://false.net/ipfilter/1999_12/0088.html ), ipfilter
(ipnat/ipf) is capable of masquerading protocols other than TCP or
UDP, starting with version 3.3.4. Further discussion (search for
PPTP) indicates that this is all that's needed to get PPTP
masquerading working properly. I just upgraded this system to the
just-released NetBSD 1.4.2 (which I understand contains ipfilter 3.3.6)
to give this a try.
The message I cited above claims I can specify protocols other than
tcp and/or udp. I'm trying GRE:
rdr ae0 0/0 port 0 -> 192.168.0.1 port 0 gre
This rule is processed, but the "gre" port seems to be dropped:
inigo:/etc# ipnat -v -f ipnat.conf
rdr ae0 0.0.0.0/0 -> 192.168.0.1
0x0 0 0 0 0x61f4 0
inigo:/etc# ipnat -l
List of active MAP/Redirect filters:
rdr ae0 0.0.0.0/0 -> 192.168.0.1
This is obviously not good: it's exposing all ports of 192.168.0.1
(which is the machine I'd like to use PPTP from) to the outside!
GRE is in my /etc/protocols; I tried the numeric value (47) instead to
the same effect.
Can anyone tell me if this feature of ipfilter is supported under
NetBSD/mac68k? Is ipnat just not reporting the redirect properly? Do
I need to build a new kernel with some option enabled / with newer
ipfilter code?
Thanks for any help,
-Doug
--
Doug Larrick doug@ties.org doug.larrick@compaq.com AIM: DougLarick