Bug in "Bypass firewall rules for traffic on the same interface"

From:	Peter Allgeyer <allgeyer at web dot de>
To:	m0n0wall dash dev at lists dot m0n0 dot ch
Subject:	Bug in "Bypass firewall rules for traffic on the same interface"
Date:	Thu, 02 Nov 2006 17:09:54 +0100

Hi,

I think, I've found a bug in static route filtering, bypassing firewall
rules for traffic on the same interface. The generated rules are:

@3 pass out quick on lnc0 from 172.31.252.0/22 to 172.16.0.0/16
@4 pass out quick on lnc0 from 172.16.0.0/16 to 172.31.252.0/22

[..]
@6 pass out quick on lnc0 from any to any keep state
[..]

@6 skip 2 in on lnc0 from any to 172.31.252.30/32
@7 pass in quick on lnc0 from 172.31.252.0/22 to 172.16.0.0/16
@8 pass in quick on lnc0 from 172.16.0.0/16 to 172.31.252.0/22

172.31.252/22 is the net m0n0 is in,
172.16.0.0/16 is an internal net
behind an internal router at 172.31.252.1.

I can reach any internal machine, but the reply packets are blocked by
m0n0 because of the incoming skip rule (see @6 skip 2 in on lnc0 ..).

Version  	1.22
Platform 	generic-pc-cdrom

Maybe it's fixed in 1.23b, so far I haven't looked at it.

BR, PIT

---------------------------------------------------------------------------
 copyleft(c) by |   _-_     "sic transit discus mundi" (From the System
 Peter Allgeyer | 0(o_o)0   Administrator's Guide, by Lars Wirzenius)
---------------oOO--(_)--OOo-----------------------------------------------