[ previous ] [ next ] [ threads ]
 
 From:  Alex Pimperton <alex at erus dot co dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: M0n0wall drops packets it shouldn't
 Date:  Tue, 15 Mar 2005 16:05:48 +0000
Hi

I'm having problems with m0n0wall dropping packets I don't think it should.

I have three interfaces, an external (assigned by DHCP) and an internal 
(private address space), and a DMZ (not used currently), with the 
Internal LAN NATing out through the external interface.

Packets from a server on the LAN going to an external address seem to be 
dropped, despite me having a rule on the firewall>rules>LAN page that 
explicitly allows all traffic from the LAN subnet to any, and this is 
the only rule on the LAN page.

Sample bit of log:

15:59:58.483121 fxp1 @0:17 b 192.168.1.10,4535 -> 155.245.115.168,30452 
PR tcp len 20 1500 -A IN
15:59:57.618427 fxp1 @0:17 b 192.168.1.10,4496 -> 155.245.127.72,2777 PR 
tcp len 20 1500 -A IN
15:59:57.609661 fxp1 @0:17 b 192.168.1.10,4521 -> 155.245.109.100,12917 
PR tcp len 20 1500 -A IN
15:59:54.522518 2x fxp1 @0:17 b 192.168.1.10,4521 -> 
155.245.109.100,12917 PR tcp len 20 1500 -A IN
15:59:54.381221 fxp1 @0:17 b 192.168.1.10,4521 -> 155.245.109.100,12917 
PR tcp len 20 1500 -AP IN
15:59:54.218584 fxp1 @0:17 b 192.168.1.10,4535 -> 155.245.115.168,30452 
PR tcp len 20 1500 -A IN


Result of ipfstat -nio

@1 pass out quick on lo0 from any to any
@2 pass out quick on fxp1 proto udp from 192.168.1.1/32 port = 67 to any port = 68
@3 pass out quick on fxp0 proto udp from any port = 68 to any port = 67
@4 pass out quick on fxp1 from any to any keep state
@5 pass out quick on fxp0 from any to any keep state
@6 pass out quick on fxp2 from any to any keep state
@7 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on fxp1 proto udp from any port = 68 to 255.255.255.255/32 port = 67
@5 pass in quick on fxp1 proto udp from any port = 68 to 192.168.1.1/32 port = 67
@6 block in log quick on fxp0 from 192.168.1.0/24 to any
@7 block in log quick on fxp0 from 192.168.2.0/24 to any
@8 block in log quick on fxp0 proto udp from any port = 67 to 192.168.1.0/24 port = 68
@9 pass in quick on fxp0 proto udp from any port = 67 to any port = 68
@10 block in log quick on fxp1 from !192.168.1.0/24 to any
@11 block in log quick on fxp2 from !192.168.2.0/24 to any
@12 block in log quick on fxp0 from 10.0.0.0/8 to any
@13 block in log quick on fxp0 from 127.0.0.0/8 to any
@14 block in log quick on fxp0 from 172.16.0.0/12 to any
@15 block in log quick on fxp0 from 192.168.0.0/16 to any
@16 skip 1 in proto tcp from any to any flags S/FSRA
@17 block in log quick proto tcp from any to any
@18 block in log quick on fxp1 from any to any head 100
@1 pass in quick from 192.168.1.0/24 to 192.168.1.1/32 keep state group 100
@2 pass in quick from any to any keep state group 100
@19 block in log quick on fxp0 from any to any head 200
@1 block in quick proto tcp/udp from any port 134 >< 140 to any group 200
@2 block in quick from any to 155.245.127.255/32 group 200
@3 block in quick from any to 255.255.255.255/32 group 200
@4 pass in quick proto tcp from any to any keep state group 200
@5 pass in quick proto tcp from any to 192.168.1.10/32 port = 411 keep state group 200
@6 pass in quick proto tcp from any to 192.168.1.15/32 port = 22 keep state group 200
@7 pass in quick proto tcp from any to 192.168.1.10/32 port = 3389 keep state group 200
@8 pass in quick proto tcp/udp from any to 192.168.1.10/32 port = synoptics-trap keep state group
200
@9 pass in quick proto tcp/udp from any to 192.168.1.10/32 port = innosys keep state group 200
@10 pass in quick proto tcp from any to 192.168.1.20/32 port = 4111 keep state group 200
@20 block in log quick on fxp2 from any to any head 300
@21 block in log quick from any to any

I've read the FQ pages about legit traffic being dropped, and 
troubleshooting firewall rules, and as far as i understand the packets 
are being dropped by the default deny rule, but surely the allow all 
rule should take preference?

I also tried disabling the "block private networks" option on the LAN 
interface and this had no effect

Can anybody spell it out for me please?

Regards

Alex