One of my networks is protected by CSF, running on the router, and I noticed, I’m not able to connect from this network to a remote PPTP server (in this case it’s Poptop), while connecting from other networks, to the same PPTP server, is possible without problems.
[me]—-[router with CSF]—-[Internet]—-[Poptop server]
Of course the solution was not the famous IPTABLES -p 47 -j ACCEPT one, because I’m not running a PPTP server here, I just want my requests to be properly NATted to a remote PPTP server. The firewall protecting the remote PPTP server is OK, because clients from other networks are able to connect without problems.
The following lines added to /etc/csf/csfpost.sh solved my problems:
modprobe ip_nat_pptp modprobe ip_conntrack_pptp
Security
Consider PPTP as unencrypted and use it wisely. Read more here:
- Microsoft Security Advisory (2743314) – Unencapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure
- A death blow for PPTP – Moxie Marlinspike’s CloudCracker promises it can crack any PPTP connection – within a day, for $200. We tried it out with a real session.
- Der Todesstoß für PPTP – Moxie Marlinspikes Projekt Cloudcracker verspicht, jeden PPTP-Zugang zu knacken – für 200 US-Dollar und innerhalb eines Tages. Wir haben das mit einem echten Zugang ausprobiert.
- Divide and Conquer – Cracking MS-CHAPv2 with a 100% success rate