[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Re: 1.2b3 ruleset bug?
 Date:  Tue, 08 Feb 2005 16:27:56 -0500
Vincent Fleuranceau wrote:

> 
> 
> -------- Message original --------
> 
>> Jesse Guardiani wrote:
>  >
>>>It looks like there is perhaps a long-standing bug in
>>>the ruleset generation code. sis2 is my LAN interface.
>>>I don't think this input rule should be there:
>>>
>>>block in log quick on sis2 from !63.99.6.224/27 to any
>>>
>>>I can actually see my incoming port 8082 connections
>>>being blocked on the LAN interface from my logs, so
>>>I know this rule is effective. How do I remove it?
>> 
>> 
>> I know this was a long post, but could someone take a look
>> at it? I think it may be an important bug/gotcha.
>> 
> 
> Jesse,
> 
> Could you go to the status.php page and copy/paste the 'unparsed
> ipfilter rules' section, so that we can see where (in in the source
> code) the faulty rule is generated?

Wow, that page takes a while to load. See below for the info you requested.
Looks like the culprit is the spoof check. How can I disable that?

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on sis2 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on sis2 proto udp from any port = 68 to 63.99.6.230 port = 67
pass out quick on sis2 proto udp from 63.99.6.230 port = 67 to any port = 68

# WAN spoof check
block in log quick on sis0 from 63.99.6.224/27 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on sis0 proto udp from any port = 68 to any port = 67
block in log quick on sis0 proto udp from any port = 67 to 63.99.6.224/27 port = 68
pass in quick on sis0 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on sis2 from ! 63.99.6.224/27 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on sis2 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on sis2 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on sis0 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on sis0 all keep state
  
#---------------------------------------------------------------------------
# group head 300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on sis1 all head 300

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on sis1 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 63.99.6.224/27 to 63.99.6.230 keep state group 100

# User-defined rules follow
pass in quick from any to any keep state group 200 
pass in quick from any to any keep state group 300 
pass in quick from any to any keep state group 100 
 
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net