[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  1.2b3 ruleset bug?
 Date:  Mon, 07 Feb 2005 11:18:19 -0500
Hello,

I just placed a 1.2b3 4801 in production today as
a transparent filtering bridge. Neither WAN nor
OPT1 have an IP, and they are bridged together.

The LAN interface has the subnet 63.99.6.230/27.

Both the LAN interface and the OPT1 interface are
plugged into the same switch. OPT1 is plugged into
the uplink port and LAN is plugged into a regular
port. The switch is a Cisco Catalyst 1900 series.

Here are my interfaces:

 <interfaces>
  <lan>
   <if>sis2</if>
   <ipaddr>63.99.6.230</ipaddr>
   <subnet>27</subnet>
   <media/>
   <mediaopt/>
  </lan>
  <wan>
   <if>sis0</if>
   <mtu/>
   <media/>
   <mediaopt/>
   <spoofmac/>
  </wan>
  <opt1>
   <if>sis1</if>
   <descr>OPT1</descr>
   <ipaddr/>
   <subnet>31</subnet>
   <bridge>wan</bridge>
   <enable/>
  </opt1>
 </interfaces>


I have the following rules, ONLY:

 <filter>
  <rule>
   <type>pass</type>
   <interface>wan</interface>
   <source>
    <any/>
   </source>
   <destination>
    <any/>
   </destination>
   <descr>WAN: ALL -&gt; ALL</descr>
  </rule>
  <rule>
   <type>pass</type>
   <interface>opt1</interface>
   <source>
    <any/>
   </source>
   <destination>
    <any/>
   </destination>
   <descr>OPT1: ALL -&gt; ALL</descr>
  </rule>
  <rule>
   <type>pass</type>
   <interface>lan</interface>
   <source>
    <any/>
   </source>
   <destination>
    <any/>
   </destination>
   <descr>LAN any -&gt; LAN any</descr>
  </rule>
  <tcpidletimeout/>
 </filter>

HOWEVER, I can't access the LAN IP from a subnet
other than 63.99.6.230/27! To track down the problem,
I ran ipfstat from exec.php:

$ ipfstat -o
pass out quick on lo0 from any to any
pass out quick on sis2 proto udp from 63.99.6.230/32 port = 67 to any port = 68
pass out quick on sis0 proto udp from any port = 68 to any port = 67
pass out quick on sis2 from any to any keep state
pass out quick on sis0 from any to any keep state
pass out quick on sis1 from any to any keep state
block out log quick from any to any

$ ipfstat -i
pass in quick on lo0 from any to any
block in log quick from any to any with short
block in log quick from any to any with ipopt
pass in quick on sis2 proto udp from any port = 68 to 255.255.255.255/32 port = 67
pass in quick on sis2 proto udp from any port = 68 to 63.99.6.230/32 port = 67
block in log quick on sis0 from 63.99.6.224/27 to any
block in log quick on sis0 proto udp from any port = 67 to 63.99.6.224/27 port = 68
pass in quick on sis0 proto udp from any port = 67 to any port = 68
block in log quick on sis2 from !63.99.6.224/27 to any
skip 1 in proto tcp from any to any flags S/FSRA
block in log quick proto tcp from any to any
block in log quick on sis2 from any to any head 100
pass in quick from 63.99.6.224/27 to 63.99.6.230/32 keep state group 100
pass in quick from any to any keep state group 100
block in log quick on sis0 from any to any head 200
pass in quick from any to any keep state group 200
block in log quick on sis1 from any to any head 300
pass in quick from any to any keep state group 300
block in log quick from any to any

I got the idea from this post:
    http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=71&actionargs[]=24

It looks like there is perhaps a long-standing bug in
the ruleset generation code. sis2 is my LAN interface.
I don't think this input rule should be there:

block in log quick on sis2 from !63.99.6.224/27 to any

I can actually see my incoming port 8082 connections
being blocked on the LAN interface from my logs, so
I know this rule is effective. How do I remove it?

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net