[ previous ] [ next ] [ threads ]
 
 From:  'Frederick Page' <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Confirmed: bug in firewall on OPT1
 Date:  Sat, 18 Dec 2004 00:03:38 +0100
Hallo James,

James W. McKeand schrieb am 17. December 2004:

>>Action: Pass, Interface: OPT1, Protocol: AH, Source: any,
>>Destination: NOT LAN subnet

>First reaction would be rule is not right...

I really experimented with all kinds of things: changed the OPT1 to
10.0.0.0/4 (to be much different from the 192.168.100.0/24 LAN).

I also created aliasses in "Firewall" and threw those in, I also
explictly blocked traffic to LAN by spelling it out as
192.168.100.0/24

Nothing worked so far, LAN can be successfully prevented to reach
OPT1, but vice versa seems to be impossible.

>Action: Pass
>Interface: OPT1
>Protocol: any (not AH - or was that a typo?)
>Source: OPT1 subnet (not any)
>Destination: NOT LAN subnet

Doesn't work either, I found out some more: as long as there is NO
rule on the OPT1 interface, traffic from OPT1 can go nowhere. The
second I put in ANY rule, LAN can be accessed from OPT1.

I put in this as the _only_ rule on OPT1:

Action: Block
Interf: OPT1
Protoc: any
Source: OPT1 subnet
Destin: any
Log packets that are handled by this rule

Now in theory, this should prevent ANY traffic to ANYWHERE and each
packet should be logged, right?

Wrong. Nothing is logged, with this one, single rule I can still "ping",
"net view" and "http://192.168.100.4" from OPT1. I can even FTP my
internal OpenBSD server from OPT1, aaaargh! However I must use
IP-addresses, DNS-resolution does not work.

>Second reaction - wasn't it working yesterday?

That was a mistake of mine: I had the Captive Portal activated, which
prevented any traffic. With Captive Portal deactivated: see above.

Kind regards   Frederick