Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firewall Help with OpenBSD

Posted by Cliff on from the light-the-digital-moat dept.

smkndrkn asks: "I'm looking to change our firewall config at work from a dual-homed host architecture to an OpenBSD based Screened Subnet Architecture, however I have a PPTP (yes I know it is horrible but our customer isn't changing to IPSec for another couple months )VPN that needs to work. I've looked at www.OpenBSD.org but cannot find much in the way of documentation ( other than the FAQ ). My current Linux firewall does this fine. I'm looking to have the Exterior router setup with Slackware Linux and the interior router setup with OpenBSD for more security ( and a diversity of architectures ). I'm a little worried that the PPTP connection will not work ( Does it filter GRE? )and that possibly I'll run into other issues. Just for some additional info I need the VPN to go through both routers to get to our internal network ( where the machines that use the connection are located ). Is there another way of doing this? Say have a machine on the perimeter network connect and then allow the machines to connect to that server, which would then route their traffic over the VPN? "

8 comments

  1. New Text by Anonymous Coward · · Score: 0

    Unfortunately it does not appear to have hit the streets yet (amazon says "october"), but there is a new book that looks like it might be a big help: Building Linux and OpenBSD Firewalls by Wes Sonnenreich, Tom Yates Yates Perhaps contacting the authors might answer your question?

  2. BSD FIrewall How-to by Belatu-Cadros · · Score: 2

    I don't know if you found this page yet but it fairly basic but it might get you started...

    http://www.swcp.com/~synk/ipf-howto.txt

  3. Irrelevent by spooky+ghost · · Score: 1

    Strip the ipf-howto.txt from the URL and see what you get, it might make you smile!


    No matter what it looks like, there isn't a .sig here.

    --

    No matter what it looks like, there isn't a .sig here.
  4. Linux PPTP masquerading... by X · · Score: 1

    Linux VPN Masquerade.



    This page has info on how to get PPTP through a Linux NAT box. That's not what you're looking for, but it might provide you with some helpfull answers.

    --
    sigs are a waste of space
  5. Linux PPTP masquerading... by X · · Score: 1

    Linux VPN Masquerade.

    This page has info on how to get PPTP through a Linux NAT box. That's not what you're looking for, but it might provide you with some helpfull answers.

    --
    sigs are a waste of space
  6. OpenBSD Firewalling by kj98 · · Score: 1

    It'll work fine. IPF can easily filter by protocol type (in this case, GRE). I've built many OpenBSD machines that operate in this configuration.

    I guess I should start reading the openbsd mailing lists again... damn job gets in the way.

    -kj

  7. Just don't NAT by matts.nu · · Score: 1

    If you can't find BSD software like the PPTP proxy for Linux, then you have to disable NAT for the PPTP traffic through BSD. Configure the BSD machine to route the PPTP packets (both TCP/1723 and GRE) without rewriting them.

    1. Re:Just don't NAT by Anonymous Coward · · Score: 0

      This is silly. You can use the RDR directive in NAT to map the same ports on the firewall box to the internal host that is terminating the tunnel. Look at the examples in /usr/share/ipf/nat.*