pptpd und SuSEfirewall2

[robi1a]

Hallo
Ich habe einen rechner mit SUSE 9.0 als Firewall laufen.
Die Firewall trennt internes Netz (192.168.1.0/24) vom Internet.
Für die IPTABLE-Rules habe ich einfach das SuSEfilewall2 script verwendet
(weil so einfach).
Auf der Firewall habe ich den pptpd eingerichtet weil ich einen VPN Tunnel
ins interne Netz übers Internet aufbauen möchte. Das getunnelte Netz
lautet 192.168.9.0/24. Mein Problem ist nun das ich zwar einen Tunnel aufbauen
kann, aber jeder Traffic internes Netz <-> Tunnel von der Firewall
geblockt wird. Siehe Ende des Logs zB: Samba (Port 137), Ping, FTP (Port 21).
Hab mir dann /etc/sysconfig/SuSEfirewall2 vorgenommen und einiges ausprobiert,
aber es will mir einfach nicht gelingen. Hat wer Erfahrung damit und kann mir
da weiter helfen.
Hab das Log über den gesamten Tunnelaufbau und /etc/sysconfig/SuSEfirewall2
eingefügt.

[robi1a]

Log 1/2 (alles OK):

Oct 7 19:30:08 grisu pptpd[13684]: MGR: Launching /usr/sbin/pptpctrl to handle client
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: local address = 192.168.9.100
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: remote address = 192.168.9.200
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: pppd speed = 1150
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: pppd options file = /etc/ppp/options.pptpd
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Client 84.113.129.173 control connection started
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Received PPTP Control Message (type: 1)
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Made a START CTRL CONN RPLY packet
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: I wrote 156 bytes to the client.
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Sent packet to client
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Received PPTP Control Message (type: 7)
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: 0 min_bps, 1525 max_bps, 32 window size
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Made a OUT CALL RPLY packet
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Starting call (launching pppd, opening GRE)
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: pty_fd = 5
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: tty_fd = 6
Oct 7 19:30:08 grisu pptpd[13685]: CTRL (PPPD Launcher): Connection speed = 1150
Oct 7 19:30:08 grisu pptpd[13685]: CTRL (PPPD Launcher): local address = 192.168.9.100
Oct 7 19:30:08 grisu pptpd[13685]: CTRL (PPPD Launcher): remote address = 192.168.9.200
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: I wrote 32 bytes to the client.
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Sent packet to client
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Received PPTP Control Message (type: 15)
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Got a SET LINK INFO packet with standard ACCMs
Oct 7 19:30:08 grisu pppd[13685]: pppd 2.4.1 started by root, uid 0
Oct 7 19:30:08 grisu pppd[13685]: speed 1150 not supported
Oct 7 19:30:08 grisu pppd[13685]: using channel 9
Oct 7 19:30:08 grisu pppd[13685]: Using interface ppp0
Oct 7 19:30:08 grisu pppd[13685]: Connect: ppp0 <--> /dev/pts/1
Oct 7 19:30:08 grisu pppd[13685]: sent [LCP ConfReq id=0x1 <mru 1490> <asyncmap 0x0> <auth chap 81> <m
agic 0x7aaa2dc3> <pcomp> <accomp>]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x18fa79c9> <pcomp> <acco
mp> <callback CBCP>]
Oct 7 19:30:08 grisu pppd[13685]: sent [LCP ConfAck id=0x0 <mru 1400> <magic 0x18fa79c9> <pcomp> <acco
mp> <callback CBCP>]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [LCP ConfAck id=0x1 <mru 1490> <asyncmap 0x0> <auth chap 81> <m
agic 0x7aaa2dc3> <pcomp> <accomp>]
Oct 7 19:30:08 grisu pppd[13685]: sent [LCP EchoReq id=0x0 magic=0x7aaa2dc3]
Oct 7 19:30:08 grisu pppd[13685]: cbcp_lowerup
Oct 7 19:30:08 grisu pppd[13685]: want: 2
Oct 7 19:30:08 grisu pppd[13685]: sent [CHAP Challenge id=0x1 <444ef8ae6eb91528619387c570e63e50>, name
= "grisu"]
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Received PPTP Control Message (type: 15)
Oct 7 19:30:08 grisu pptpd[13684]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Oct 7 19:30:08 grisu pppd[13685]: rcvd [LCP code=0xc id=0x1 18 fa 79 c9 4d 53 52 41 53 56 35 2e 31 30]
Oct 7 19:30:08 grisu pppd[13685]: sent [LCP CodeRej id=0x2 0c 01 00 12 18 fa 79 c9 4d 53 52 41 53 56 3
5 2e 31 30]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [LCP code=0xc id=0x2 18 fa 79 c9 4d 53 52 41 53 2d 30 2d 50 43
5f 52 4f 42 49]
Oct 7 19:30:08 grisu pppd[13685]: sent [LCP CodeRej id=0x3 0c 02 00 17 18 fa 79 c9 4d 53 52 41 53 2d 3
0 2d 50 43 5f 52 4f 42 49]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [LCP EchoRep id=0x0 magic=0x18fa79c9]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [CHAP Response id=0x1 <2576f95df413edbe256b4ecc8e4a40fd00000000
000000006eb9877853ffeec1704bceda4cb3fc93f7d60a8494 47a85d00>, name = "robi"]
Oct 7 19:30:08 grisu pppd[13685]: sent [CHAP Success id=0x1 "S=8C3D1EB4BDD2785999DF62739E5E0D8EA4D78DF
0"]
Oct 7 19:30:08 grisu pppd[13685]: cbcp_open
Oct 7 19:30:08 grisu pppd[13685]: cbcp_req CONF_NO
Oct 7 19:30:08 grisu pppd[13685]: sent [CBCP Request id=0x1 < NoCallback>]
Oct 7 19:30:08 grisu pppd[13685]: MSCHAP-v2 peer authentication succeeded for robi
Oct 7 19:30:08 grisu pppd[13685]: rcvd [CBCP Response id=0x1 < NoCallback>]
Oct 7 19:30:08 grisu pppd[13685]: CBCP_RESP received
Oct 7 19:30:08 grisu pppd[13685]: length: 2
Oct 7 19:30:08 grisu pppd[13685]: Callback: none
Oct 7 19:30:08 grisu pppd[13685]: cbcp_ack cb_type=2
Oct 7 19:30:08 grisu pppd[13685]: cbcp_ack CONF_NO

[robi1a]

Log 2/2 (FW blockt):

Oct 7 19:30:08 grisu pppd[13685]: rcvd [IPCP ConfReq id=0x4 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins
0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 7 19:30:08 grisu pppd[13685]: sent [IPCP ConfRej id=0x4 <ms-wins 0.0.0.0> <ms-wins 0.0.0.0>]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Oct 7 19:30:08 grisu pppd[13685]: sent [IPCP ConfReq id=0x2 <addr 192.168.9.100>]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>
]
Oct 7 19:30:08 grisu pppd[13685]: sent [CCP ConfReq id=0x2 <mppe 1 0 0 40>]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [CCP ConfReq id=0x5 <mppe 1 0 0 40>]
Oct 7 19:30:08 grisu pppd[13685]: sent [CCP ConfAck id=0x5 <mppe 1 0 0 40>]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [IPCP ConfReq id=0x6 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3
0.0.0.0>]
Oct 7 19:30:08 grisu pppd[13685]: sent [IPCP ConfNak id=0x6 <addr 192.168.9.200> <ms-dns1 217.76.160.6
> <ms-dns3 217.76.160.6>]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [IPCP ConfAck id=0x2 <addr 192.168.9.100>]
Oct 7 19:30:08 grisu pppd[13685]: rcvd [CCP ConfAck id=0x2 <mppe 1 0 0 40>]
Oct 7 19:30:08 grisu pppd[13685]: MPPE 128 bit, stateless compression enabled
Oct 7 19:30:08 grisu pppd[13685]: rcvd [IPCP ConfReq id=0x7 <addr 192.168.9.200> <ms-dns1 217.76.160.6
> <ms-dns3 217.76.160.6>]
Oct 7 19:30:08 grisu pppd[13685]: sent [IPCP ConfAck id=0x7 <addr 192.168.9.200> <ms-dns1 217.76.160.6
> <ms-dns3 217.76.160.6>]
Oct 7 19:30:08 grisu pppd[13685]: local IP address 192.168.9.100
Oct 7 19:30:08 grisu pppd[13685]: remote IP address 192.168.9.200
Oct 7 19:30:08 grisu pppd[13685]: Script /etc/ppp/ip-up started (pid 13694)
Oct 7 19:30:08 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.9.200 DST=255.255.25
5.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28523 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 7 19:30:09 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.9.200 DST=255.255.25
5.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=28525 PROTO=UDP SPT=68 DPT=67 LEN=308
Oct 7 19:30:09 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.9.200 DST=255.255.25
5.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28573 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 7 19:30:10 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.9.200 DST=255.255.25
5.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28626 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 7 19:30:11 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.9.200 DST=255.255.25
5.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28653 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 7 19:30:11 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.9.200 DST=255.255.25
5.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28707 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 7 19:30:12 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.9.200 DST=255.255.25
5.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28752 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 7 19:30:13 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=192.168.9.200 DST=255.255.25
5.255 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28802 PROTO=UDP SPT=137 DPT=137 LEN=76
Oct 7 19:30:14 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=00:02:44:4e:33:7f:00:b0:64:8c:cb:
54:08:00 SRC=84.113.129.173 DST=217.76.164.189 LEN=133 TOS=0x00 PREC=0x00 TTL=116 ID=28886 PROTO=47
Oct 7 19:30:14 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=00:02:44:4e:33:7f:00:b0:64:8c:cb:
54:08:00 SRC=84.113.129.173 DST=217.76.164.189 LEN=133 TOS=0x00 PREC=0x00 TTL=116 ID=28888 PROTO=47
Oct 7 19:30:15 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=00:02:44:4e:33:7f:00:b0:64:8c:cb:
54:08:00 SRC=84.113.129.173 DST=217.76.164.189 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=28931 DF PROTO=TCP
SPT=1726 DPT=22 WINDOW=17520 RES=0x00 ACK URGP=0
Oct 7 19:30:15 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=00:02:44:4e:33:7f:00:b0:64:8c:cb:
54:08:00 SRC=84.113.129.173 DST=217.76.164.189 LEN=133 TOS=0x00 PREC=0x00 TTL=116 ID=28933 PROTO=47
Oct 7 19:30:15 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=00:02:44:4e:33:7f:00:b0:64:8c:cb:
54:08:00 SRC=84.113.129.173 DST=217.76.164.189 LEN=133 TOS=0x00 PREC=0x00 TTL=116 ID=28947 PROTO=47
Oct 7 19:30:16 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=00:02:44:4e:33:7f:00:b0:64:8c:cb:
54:08:00 SRC=84.113.129.173 DST=217.76.164.189 LEN=133 TOS=0x00 PREC=0x00 TTL=116 ID=28985 PROTO=47
Oct 7 19:30:16 grisu kernel: SuSE-FW-ILLEGAL-TARGET IN=eth0 OUT= MAC=00:02:44:4e:33:7f:00:b0:64:8c:cb:
54:08:00 SRC=84.113.129.173 DST=217.76.164.189 LEN=133 TOS=0x00 PREC=0x00 TTL=116 ID=28987 PROTO=47
Oct 7 19:30:17 grisu pptpd[13684]: Buffering out-of-order packet; got 32 after 23
Oct 7 19:30:17 grisu pptpd[13684]: Packet reorder timeout waiting for 24
Oct 7 19:30:17 grisu pptpd[13684]: Buffering out-of-order packet; got 33 after 31
Oct 7 19:30:21 grisu SuSEfirewall2: Firewall rules successfully set from /etc/sysconfig/SuSEfirewall2
Oct 7 19:30:21 grisu pppd[13685]: Script /etc/ppp/ip-up finished (pid 13694), status = 0x0
Oct 7 19:30:23 grisu kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT=eth1 SRC=192.168.9.200 DST=192.168.1.2 L
EN=60 TOS=0x00 PREC=0x00 TTL=127 ID=29408 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=256
Oct 7 19:30:29 grisu kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT=eth1 SRC=192.168.9.200 DST=192.168.1.2 L
EN=48 TOS=0x00 PREC=0x00 TTL=127 ID=29712 DF PROTO=TCP SPT=1734 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0
OPT (0204055001010402)
Oct 7 19:30:32 grisu kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT=eth1 SRC=192.168.9.200 DST=192.168.1.2 L
EN=48 TOS=0x00 PREC=0x00 TTL=127 ID=29871 DF PROTO=TCP SPT=1734 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0
OPT (0204055001010402)

[robi1a]

/etc/sysconfig/SuSEfirewall2

FW_QUICKMODE="no"
FW_DEV_EXT="eth0"
FW_DEV_INT="eth1 ppp0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="1723 ssh"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP="47"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ssh 3128 25"
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP="47"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP="47"
FW_TRUSTED_NETS="192.168.1.0/24 192.168.9.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="no"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-
FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="no"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="no"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""