From: Philip Craig <philipc@snapgear.com>
To: Ilguiz Latypov <ilguiz@nit.ca>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: PPTP connection tracking
Date: Tue, 03 Dec 2002 13:29:50 +1000 [thread overview]
Message-ID: <3DEC252E.7010707@snapgear.com> (raw)
In-Reply-To: Pine.LNX.4.44.0212022036040.16274-100000@localhost.localdomain
Ilguiz Latypov wrote:
> The first attempt to connect to a remote PPTP server (PoPToP) produced an
> error on the server side. I suspect this could be related to the fact
> that I installed the same PPTP kernel modules on the server side. I
> understand that those modules are superfluous on the server (PAC) side.
While you don't need the PPTP connection tracking on the
server side, it shouldn't cause the connection to fail.
I've been testing with various combinations of connection
tracking on server/client/firewall.
> The error message is produced by the run time error in encaps_gre() where
> the write() function is called to send a GRE packet. I wonder if that
> issue is related to the one you mentioned in the bottom of your message.
>
> It appears to me that I was able to establish 2 parallel connections from
> Windows workstations later and observe correct reply rewriting on the
> client firewall. So the run time error might not be always reproduced.
>
> =============================================================================
> pppd: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap 81> <magic 0x3f3847ac> <pcomp> <accomp>]
> pptpd: GRE: xmit failed from decaps_hdlc: Operation not permitted
> pptpd: CTRL: PTY read or GRE write failed (pty,gre)=(16,17)
> =============================================================================
You get an operation not permitted error if you have a filter
rule on the server that drops the GRE packet in the OUTPUT
chain.
I think I'm close to solving the problems with my patch, so
I'll post a new version shortly.
Regards,
Phil
--
Philip Craig Software Engineer http://www.SnapGear.com
philipc@snapgear.com Ph: +61 7 3435 2821 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances
next prev parent reply other threads:[~2002-12-03 3:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-03 2:49 PPTP connection tracking Ilguiz Latypov
2002-12-03 3:02 ` Ilguiz Latypov
2002-12-03 3:31 ` Philip Craig
2002-12-03 3:29 ` Philip Craig [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-01-19 23:01 Paul Mielke
2003-02-17 19:00 ` Harald Welte
2003-02-18 0:50 ` Philip Craig
2003-02-18 9:38 ` Harald Welte
2003-02-18 23:57 ` Philip Craig
2002-11-29 7:58 Philip Craig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3DEC252E.7010707@snapgear.com \
--to=philipc@snapgear.com \
--cc=ilguiz@nit.ca \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.