[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: 1.2b3 ruleset bug?
 Date:  Tue, 08 Feb 2005 09:31:44 -0500
Jesse Guardiani wrote:

> Hello,
> 
> I just placed a 1.2b3 4801 in production today as
> a transparent filtering bridge. Neither WAN nor
> OPT1 have an IP, and they are bridged together.
> 
> The LAN interface has the subnet 63.99.6.230/27.
> 
> Both the LAN interface and the OPT1 interface are
> plugged into the same switch. OPT1 is plugged into
> the uplink port and LAN is plugged into a regular
> port. The switch is a Cisco Catalyst 1900 series.
> 
> Here are my interfaces:
> 
>  <interfaces>
>   <lan>
>    <if>sis2</if>
>    <ipaddr>63.99.6.230</ipaddr>
>    <subnet>27</subnet>
>    <media/>
>    <mediaopt/>
>   </lan>
>   <wan>
>    <if>sis0</if>
>    <mtu/>
>    <media/>
>    <mediaopt/>
>    <spoofmac/>
>   </wan>
>   <opt1>
>    <if>sis1</if>
>    <descr>OPT1</descr>
>    <ipaddr/>
>    <subnet>31</subnet>
>    <bridge>wan</bridge>
>    <enable/>
>   </opt1>
>  </interfaces>
> 
> 
> I have the following rules, ONLY:
> 
>  <filter>
>   <rule>
>    <type>pass</type>
>    <interface>wan</interface>
>    <source>
>     <any/>
>    </source>
>    <destination>
>     <any/>
>    </destination>
>    <descr>WAN: ALL -&gt; ALL</descr>
>   </rule>
>   <rule>
>    <type>pass</type>
>    <interface>opt1</interface>
>    <source>
>     <any/>
>    </source>
>    <destination>
>     <any/>
>    </destination>
>    <descr>OPT1: ALL -&gt; ALL</descr>
>   </rule>
>   <rule>
>    <type>pass</type>
>    <interface>lan</interface>
>    <source>
>     <any/>
>    </source>
>    <destination>
>     <any/>
>    </destination>
>    <descr>LAN any -&gt; LAN any</descr>
>   </rule>
>   <tcpidletimeout/>
>  </filter>
> 
> HOWEVER, I can't access the LAN IP from a subnet
> other than 63.99.6.230/27! To track down the problem,
> I ran ipfstat from exec.php:
> 
> $ ipfstat -o
> pass out quick on lo0 from any to any
> pass out quick on sis2 proto udp from 63.99.6.230/32 port = 67 to any port
> = 68 pass out quick on sis0 proto udp from any port = 68 to any port = 67
> pass out quick on sis2 from any to any keep state
> pass out quick on sis0 from any to any keep state
> pass out quick on sis1 from any to any keep state
> block out log quick from any to any
> 
> $ ipfstat -i
> pass in quick on lo0 from any to any
> block in log quick from any to any with short
> block in log quick from any to any with ipopt
> pass in quick on sis2 proto udp from any port = 68 to 255.255.255.255/32
> port = 67 pass in quick on sis2 proto udp from any port = 68 to
> 63.99.6.230/32 port = 67 block in log quick on sis0 from 63.99.6.224/27 to
> any block in log quick on sis0 proto udp from any port = 67 to
> 63.99.6.224/27 port = 68 pass in quick on sis0 proto udp from any port =
> 67 to any port = 68 block in log quick on sis2 from !63.99.6.224/27 to any
> skip 1 in proto tcp from any to any flags S/FSRA
> block in log quick proto tcp from any to any
> block in log quick on sis2 from any to any head 100
> pass in quick from 63.99.6.224/27 to 63.99.6.230/32 keep state group 100
> pass in quick from any to any keep state group 100
> block in log quick on sis0 from any to any head 200
> pass in quick from any to any keep state group 200
> block in log quick on sis1 from any to any head 300
> pass in quick from any to any keep state group 300
> block in log quick from any to any
> 
> I got the idea from this post:
>     http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=71&actionargs[]=24
> 
> It looks like there is perhaps a long-standing bug in
> the ruleset generation code. sis2 is my LAN interface.
> I don't think this input rule should be there:
> 
> block in log quick on sis2 from !63.99.6.224/27 to any
> 
> I can actually see my incoming port 8082 connections
> being blocked on the LAN interface from my logs, so
> I know this rule is effective. How do I remove it?

I know this was a long post, but could someone take a look
at it? I think it may be an important bug/gotcha.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net