recompile? or edit /etc/ipf.conf ? help!

[linuxtricks]

Does anyone know of any good documentation on 're-compiling the OpenBSD kernel' - especially so that it supports passing 'gre' packets through ipf?

I have an OpenBSD 2.8 machine as my Firewall but I am having difficulty getting my Win 2k machine to VPN past my Firewall. The logs indicate that I am blocking 'gre' packets.

**Note**
When I change my /etc/ipf.conf rules to:
[red]pass in quick proto tcp from any to any
pass out quick on tcp from any to any[/red]

... I can VPN with no problem!

Does this mean that my kernel already supports 'gre'.. and I just need to redo my /etc/ipf.conf file? If so, what rule can I add to ipf.conf to make this work?

I've been struggling with this for months! =(
Any help is greatly appreciated!
Thanks! I HATE BEING A NEWBIE!
-grumpy smurf

 

[buraglio]

Do you know what ports this VPN uses? It sounds like your rulebase just needs tweaked.

 

[linuxtricks]

pillar:

From all of the reading/looking up I have done, it seems that I should be passing port 1723. But, taking this page as an example of a similar issue:

http://www.monkey.org/openbsd/archive/misc/0002/msg00466.html

...others have made it clear that I need to add:
rdr mx0 123.234.223.234 port 0 -> 192.168.123.1 port 0 gre
rdr mx0 123.234.223.234 port 1723 -> 192.168.123.1 port 1723 tcp

...into ipnat... (which I have done) but noone makes any reference to what I need to 'allow' in ipf!

any ideas? I HATE BEING A NEWBIE!
-grumpy smurf

 

[Synikal]

instead of proto tcp in the allow lines, does it let you use gre?