[ previous ] [ next ] [ threads ]
 
 From:  Steven Stremciuc <steve at freeslacker dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  overzealous firewall
 Date:  Tue, 25 Jan 2005 00:05:38 -0700
Hi,

I have a m0n0wall box that seems to be dropping packets it shouldn't be. 
I have some 13 public IP's (in a /26) on the WAN link and port 
forwarding to servers on RFC1918's. There is a small amount of traffic 
(1-2Mbps upstream average, mostly HTTP) handled by m0n0wall. I am using 
m0n0wall because of the quick setup, replacing a dead firewall until I 
get something more appropriate in place.

Plenty of traffic still gets through to the web servers, but I see many 
blocked packets being logged (following just a snippet):

23:46:42.233726 dc0 @0:15 b 66.xx.xx.67,3595 -> 192.168.0.20,80 PR tcp 
len 20 43 -AR IN
23:46:39.596285 dc0 @0:15 b 169.xx.xx.169,2888 -> 192.168.0.10,80 PR tcp 
len 20 40 -A IN
23:46:38.032625 dc0 @0:15 b 66.xx.xx.193,3356 -> 192.168.0.14,80 PR tcp 
len 20 40 -A IN
23:46:37.908137 dc0 @0:15 b 66.xx.xx.138,4350 -> 192.168.0.14,80 PR tcp 
len 20 124 -AP IN
23:46:37.662373 dc0 @0:15 b 66.xx.xx.193,3355 -> 192.168.0.14,80 PR tcp 
len 20 52 -A IN

looks like they are being caught here:

613953 @17 block in log quick on dc0 from any to any head 200

even though there are definitely rules to allow traffic to pass (and it 
does seem to allow some traffic to pass):

228062 @23 pass in quick proto tcp from any to 192.168.0.10/32 port = 80 
keep state group 200
136060 @39 pass in quick proto tcp from any to 192.168.0.14/32 port = 80 
keep state group 200
28895 @40 pass in quick proto tcp from any to 192.168.0.20/32 port = 80 
keep state group 200

Can someone please point me in the right direction as it is quite 
unnerving to see legitimate packets being dropped in such high numbers?

The way I noticed all those dropped packets was connections to the 
servers started dying, and the only way I could get it working again was 
to reset state tables. As soon as I did that connections through the 
m0n0wall became responsive again, but I noticed how many packets it's 
blocking.

Any ideas would be much appreciated.

thanks,

Steven Stremciuc