Overview: problems with firewall rule marking and activation, and with DHCP
lease log timestamps.
Setup: m0n0wall 1.2b5 isolating an internal test lab (LAN interface)
from the main corporate network (WAN interface). Outbound NAT disabled,
WAN machines have static routes (obtained from corporate DHCP server)
for test lab network.
Problem: m0n0wall DHCP log timesamps
I'm in America/Montreal timezone (currently 14:34), yet
"Diagnostics->DHCP leases" shows "2005/02/24 19:31:29" (five
hours later) as the start time of the most recent lease. Looks
like it's displaying GMT...or maybe I'm on drugs.
I've confirmed the m0n0wall has the correct time by confirming
that "Status->System" shows correct time for "Last config
change:"
BTW, I've pointed the m0n0wall at an NTP server that gives
correct time to 600+ machines.
Problem: FW rules bug(s)
Background: I don't want IGMP (multicast management) messages
from the WAN (corporate network) cluttering my firewall logs, so
I've created a rule to block such packets, without logging
them. While testing for correct reject/block functionality, I
ran across two possible bugs:
1) IGMP packets still cause log entries, regardless of
the block/reject rule
2) In the rules display, the "X" icon is red, denoting
"block", even when I've set the rule to "reject".
Note that other rules which block UDP broadcasts
correctly show the "X" icon in orange when I change
them to "reject".
BTW, I've used the status.php page to double-check the IGMP rule
in the "unparsed ipfilter rules" section, and it seems the entry
is incorrect for the "reject" setting:
block in quick proto igmp from any to any group 200
when what I expect is:
block return-icmp in quick proto igmp from any to any group 200
I'm not familiar enough with IGMP to be sure that "reject" is
meaningful. Even if it isn't, the current behaviour is
confusing...
Claude
--
Team Leader, Network Security & Telecommunications, Information Services
Cedara Software Corp. (905) 672-2100 x2339
Mississauga, Ontario, Canada (800) 725-5970 | 