[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] rule 17 blocking my tcp traffic
 Date:  Sun, 13 Feb 2005 17:43:10 -0800 (PST)
On Thu, 10 Feb 2005, Luke SImpson wrote:

> I set up an Ipsec tunnel between to locations the subnets are 10.0.0.0 and
> 10.1.0.0.  The tunnel seems to be working fine. I can ping between the two
> locations.  All my tcp traffic is being blocked by rule #17
> 
> 00:41:39.268682 sis1 @0:17 b 10.1.0.99,1120 -> 10.0.0.3,445 PR tcp len 20
> 177
> -AP IN
> 
> I can't access file shares or use my citrix software.
> I have tried every rule i can think of to let this traffic pass but rule 17
> allways blocks all of it. Any help would be appreciated.

Connections *from* an IPsec tunnel can't be blocked at all.  Traffic *to*
an IPsec tunnel can be filtered as usual.  "Rule 17" isn't a constant, but
most likely it's where the default TCP block rule landed.

It occurs to be that there might be a problem with incoming connections
via IPsec tunnels.  Since such packets aren't filtered on the tunnel side,
and since the outgoing pass rule on the outgoing interface doesn't specify
"keep state", IPFilter doesn't get to establish the filter state on the
basis of the initial SYN packet.  It theoretically has code to recover
from "coming in in the middle" cases, but perhaps that doesn't always work
right.

					Fred Wright