[juneau-lug] Re: OpenVPN continued...
- From: "Kevin Elliott" <woolsherpahat@xxxxxxxxx>
- To: juneau-lug@xxxxxxxxxxxxx
- Date: Tue, 18 Jul 2006 16:49:48 -0800
Thanks for the reply James.
The pf rules resolves to the following three rules actually:
@9 pass quick on lo0 all
@10 pass quick on sis1 all
@11 pass quick on tun0 all
so I'm pretty sure tun0 traffic is being passed. I actually find that
the less rules the more condensed the rules the easier time I have
keeping track of them since I have multiple interfaces that have
similar filtering needs.
All your network-related advice went right over my head. I'm not too
good with that stuff. However I want to add something. I was doing
some testing today and I could get the tunnel up but I decided to
leave my ethernet cable on my laptop plugged in and amazingly enough
traffic was passing through the tunnel even my ping traffic to the
outside world.
Jul 18 04:37:57.098496 10.8.0.6 > 10.0.8.0: icmp: echo request
(id:01de seq:1) (ttl 64, id 52516, len 84)
Jul 18 04:37:58.095307 10.8.0.6 > 10.0.8.0: icmp: echo request
(id:01de seq:2) (ttl 64, id 52523, len 84)
and
Jul 18 04:38:13.039396 10.8.0.6 > 72.14.207.99: icmp: echo request
(id:01e1 seq:0) (ttl 64, id 52534, len 84)
Jul 18 04:38:13.199098 72.14.207.99 > 10.8.0.6: icmp: echo reply
(id:01e1 seq:0) (ttl 238, id 52534, len 84)
however upon unplugging my ethernet cable and sending traffic just
over wireless my pings failed to work. I'm not quite sure what this
means since I can initialize the tunnel using wireless only. My guess
is that my VPN configuration is pushing the gateway for the wired
segment of the network (192.168.100.254), I think more investigation
is necessary.
Thanks for your help.
Kevin Elliott
On 7/18/06, James Zuelow <e5z8652@xxxxxxxxxx> wrote:
> On Monday 17 July 2006 19:26, Kevin Elliott wrote:
>
> Three questions:
>
> 1)
> This line doesn't make sense to me:
>
> Mon Jul 17 19:10:30 2006 /sbin/route add -net 192.168.101.254 192.168.100.254
> 255.255.255.255
> add net 192.168.101.254: gateway 192.168.100.254
>
> The third octet is funky.
>
> 2)
> And you're using a netmask of 255.255.255.255 - shouldn't the tun interfaces
> have 255.255.255.252 masks?
>
> 3)
> >
> > #PASS WAN/LAN TRAFFIC
> >
> > pass quick on { lo0 $lan_if $vpn_if }
>
>
> I haven't played with pf in a while.
>
> Shouldn't this be pass in or pass out, not just pass?
>
> This is the only reference to the vpn tunnel in the pf.conf.
>
> Would it be too terribly inefficient to break it into three lines, just for
> clarity?
>
> (I find breaking firewall rulesets out into atomic units (or as atomic as I
> can get them) makes the firewall easier for me to understand.)
>
>
> Cheers,
>
> James
> ------------------------------------
> The Juneau Linux Users Group -- http://www.juneau-lug.org
> This is the Juneau-LUG mailing list.
> To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the
> word unsubscribe in the subject header.
>
------------------------------------
The Juneau Linux Users Group -- http://www.juneau-lug.org
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the
word unsubscribe in the subject header.
Other related posts:
