On Thursday 10 February 2005 12:09 am, Chris Buechler wrote:
> On Wed, 09 Feb 2005 01:35:26 -0500, Jesse Guardiani <jesse at wingnet dot net> wrote:
> > I've created and tested this setup at least 2 times now. Each config
> > takes between an hour and two hours to setup, debug, and test.
> This is why I use the new teams feature in VMware 5 RC. Makes
> replicating this stuff a billion times easier. A couple clicks and my
> test m0n0wall virtual network was setup as needed.
> I *could* replicate exactly what you're seeing. You're not crazy. ;)
> Antispoofing rules biting us in the ass here as well, though they
> shouldn't apply to a bridged setup.
> The line doing it is:
> block in log quick in lnc2 from !22.214.171.124/24 to any
> (126.96.36.199/24 is the subnet of the WAN interface, lnc2 is bridged DMZ interface)
> As a work around, add a (fake) static route on the DMZ interface to
> the networks behind the bridge that aren't within the WAN subnet. The
> route itself doesn't do anything since it's a bridge, but adding a
> route adds exemptions for those networks to the antispoofing rules.
> The reason it was working without an IP on the WAN is because then it
> didn't add the antispoofing rules the same way, if at all.
> Antispoofing rules shouldn't apply to a bridge though, since you won't
> add routes for bridged networks. I'll send Manuel some better info on
> this and hopefully get it resolved in some fashion other than adding
> superfluous static routes.
I just wanted to say "Thank You" for testing this. You're right, I was
indeed starting to think I might be crazy. And I definitely appreciate
the fact that you have found the problem where I could only guess (I
hadn't realized status.php existed until after I ran both of my test
cases. I've learned a lot about m0n0wall from this bridging experience!)
I hope we/Manuel can get the antispoofing rules turned off on bridged
interfaces for 1.2b4. I can't wait to put an IP on my bridged WAN for
management purposes. I think this change will make m0n0wall's bridge
support finally quite flexible and reliable (i.e. from a setup standpoint.
It's already quite reliable once you have a working config).
Finally, do you think there would be any value for expert m0n0wall
users in a webGUI knob to turn off anti-spoofing rules entirely? Now
that I know they exist, I realize that I've run into problems with
these anti-spoofing rules not just in bridge setups, but also in pure
routing setups. A "disable anti-spoofing rules" knob seems like a great
debugging tool to me. Running into strange invisible rules blocking
your traffic? Turn off anti-spoof rules!
What do you think?
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v) 423-559-5145 (f)