Re: [m0n0wall] Re: Re: M0n0wall v1.2b3 in Bridge Mode

From:	Jesse Guardiani <jesse at wingnet dot net>
To:	Chris Buechler <cbuechler at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Re: Re: M0n0wall v1.2b3 in Bridge Mode
Date:	Thu, 10 Feb 2005 01:30:04 -0500
On Thursday 10 February 2005 12:09 am, Chris Buechler wrote:
> On Wed, 09 Feb 2005 01:35:26 -0500, Jesse Guardiani <jesse at wingnet dot net> wrote:
> > 
> > 
> > I've created and tested this setup at least 2 times now. Each config
> > takes between an hour and two hours to setup, debug, and test. 
> 
> This is why I use the new teams feature in VMware 5 RC.  Makes
> replicating this stuff a billion times easier.  A couple clicks and my
> test m0n0wall virtual network was setup as needed.
> 
> I *could* replicate exactly what you're seeing.  You're not crazy.  ;)
>  Antispoofing rules biting us in the ass here as well, though they
> shouldn't apply to a bridged setup.
> 
> The line doing it is:
> block in log quick in lnc2 from !1.1.1.0/24 to any
> 
> (1.1.1.0/24 is the subnet of the WAN interface, lnc2 is bridged DMZ interface)
> 
> As a work around, add a (fake) static route on the DMZ interface to
> the networks behind the bridge that aren't within the WAN subnet.  The
> route itself doesn't do anything since it's a bridge, but adding a
> route adds exemptions for those networks to the antispoofing rules. 
> The reason it was working without an IP on the WAN is because then it
> didn't add the antispoofing rules the same way, if at all.
> 
> Antispoofing rules shouldn't apply to a bridge though, since you won't
> add routes for bridged networks.  I'll send Manuel some better info on
> this and hopefully get it resolved in some fashion other than adding
> superfluous static routes.

Chris,

I just wanted to say "Thank You" for testing this. You're right, I was
indeed starting to think I might be crazy. And I definitely appreciate
the fact that you have found the problem where I could only guess (I
hadn't realized status.php existed until after I ran both of my test
cases. I've learned a lot about m0n0wall from this bridging experience!)

I hope we/Manuel can get the antispoofing rules turned off on bridged
interfaces for 1.2b4. I can't wait to put an IP on my bridged WAN for
management purposes. I think this change will make m0n0wall's bridge
support finally quite flexible and reliable (i.e. from a setup standpoint.
It's already quite reliable once you have a working config).

Finally, do you think there would be any value for expert m0n0wall
users in a webGUI knob to turn off anti-spoofing rules entirely? Now
that I know they exist, I realize that I've run into problems with
these anti-spoofing rules not just in bridge setups, but also in pure
routing setups. A "disable anti-spoofing rules" knob seems like a great
debugging tool to me. Running into strange invisible rules blocking
your traffic? Turn off anti-spoof rules!

What do you think?

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net