Separate input and output packet filters can be configured on the Internet interface and the perimeter network interface.
Filters on the Internet interface
Configure the following input packet filters on the Internet interface of the firewall to allow the following types of traffic:
- Destination IP address of the VPN server's perimeter network interface and TCP destination port of 1723 (0x6BB).
This filter allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server. - Destination IP address of the VPN server's perimeter network interface and IP Protocol ID of 47 (0x2F).
This filter allows PPTP tunneled data from the PPTP client to the PPTP server. - Destination IP address of the VPN server's perimeter network interface and TCP source port of 1723 (0x6BB).
This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. This filter should be used only in conjunction with the PPTP packet filters described in VPN server in front of the firewall and configured on the VPN server's perimeter network interface. By allowing all traffic to the VPN server from TCP port 1723, there exists the possibility of network attacks from sources on the Internet that use this port.
Configure the following output filters on the Internet interface of the firewall to allow the following types of traffic:
- Source IP address of the VPN server's perimeter network interface and TCP source port of 1723 (0x6BB).
This filter allows PPTP tunnel maintenance traffic from the VPN server to the VPN client. - Source IP address of the VPN server's perimeter network interface and IP Protocol ID of 47 (0x2F).
This filter allows PPTP tunneled data from the VPN server to the VPN client. - Source IP address of the VPN server's perimeter network interface and TCP destination port of 1723 (0x6BB).
This filter is required only when the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. This filter should be used only in conjunction with the PPTP packet filters described in VPN server in front of the firewall and configured on the VPN server's perimeter network interface. By allowing all traffic from the VPN server to TCP port 1723, there exists the possibility of network attacks from sources on the Internet using this port.
No comments:
Post a Comment