[ previous ] [ next ] [ threads ]
 From:  Frederick Page <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Confirmed: bug in front of m0n0wall
 Date:  Sat, 18 Dec 2004 17:31:29 +0100
Hallo Manuel,

Manuel Kasper schrieb am 18. December 2004:

>> However as I said: on the LAN-interface everything works as
>> expected: changing the last "pass" rule to "destination not OPT1"
>> prevents any traffic to OPT1. It just doesn't work the other way
>> round: prevent traffic from OPT1 to LAN.

>Why on earth do you have a static route for with
>gateway on your *OPT1* interface?

Honestly: I have no idea how that got in there. Now I look like a
complete fool. I did notice the in the "ipfw -nio"
output and suspected this already, but had no clue how it got in
there. I just assumed that would be some internal stuff, like the
default-rules to prevent accidental lock-out of the web-interface.

>Not only does that not make any sense, it's the source of your
>problem as well.

Of course it is. I never looked into "Static Routes" in the m0n0wall
config, because I just "knew", there were none, because I don't need

>That static route tells m0n0wall to let traffic between
> and pass unconditionally

Yes, I know, the /16 netmask covers both /24 subnets. I am so sorry
for making a fuzz here, the problem was right in front of the PC the
whole time.

>Remove it, and life should be better for you.

I just did and as you said: everything works fine by now. Each and
every rule on OPT1 works as expected and (of course) flawlessly.

>Lesson learned: don't use the words "confirmed" and "bug" unless
>you're really really sure you did everything right...

From my previous point of view (not being aware of the static route)
there was something seriously wrong: as soon as I put in one single
"block" rule, OPT1 could access LAN. You might see, how I got the idea
of a supposed "bug".

I just never got the idea to look into the "static routes", since I
never thought something here could affect the rules on OPT1 in that
way. And I wasn't aware, that I obviously put something in here. Of
course I realize, that the problem was in front of the screen the
whole time.

Anyway: in addition to a public apology (I am really, really sorry to
be that stupid and to write of a "bug") I owe you big time for finding
this one out. Thank you VERY much for looking into my (stupid) config
and finding that ludicrous static route. Without you I still would not
be able to use my WLAN.

>Now, I've learned a lesson too.

On the bright side: not everything was a waste of time ;-)

>This automatic implicit routing feature will be made optional, with
>default to disabled, in the very next release.

Not everybody is a stupid as me ;-) and like any other GOOD software:
m0n0wall cannot be fool-proof.

Thank you again, you really made my day, I'm really glad and relieved
I got it all working now. That "Captive Portal" is one hell of a great
feature by the way.

Kind regards   Frederick