[ previous ] [ next ] [ threads ]
 
 From:  "Stephan A. Rickauer" <stephan at rickauer dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  *Really" strange WAN pinhole behaviour
 Date:  Sun, 8 May 2005 00:50:12 +0200
Guys,

I am hoping to get some help here as I wasn't able to solve my problem myself, 
neither by spending half a day on it, nor by finding it on the web/lists etc. 
I have to admit this is the first time I am *not* using a Linux/iptables 
box ...

We have a fairly simple setup:


     SERVER ------- m0n0wall ------- CLIENT


where m0n0walls interfaces belong to private networks; WAN=10.1.1.1, 
LAN=192.168.1.254. In the above sketch, m0n0s _right_ interface is LAN, and 
the _left_ interface is WAN. SERVER has 10.1.1.50, CLIENT is 192.168.1.1.

All I want to do is to have ssh access from the SERBER to the CLIENT (not the 
'usual' other way around, pls. don't ask me why :) ). Dumb approach: I added 
a rule for 'WAN' allowing ssh from SERVER to CLIENT. Doesn't work, so I 
thought maybe I need to specify the reverse 'channel' separately. So I added 
a LAN rule, allowing the accordant back connection from CLIENT to SERVER.

(btw: Is that the way to do it when not wanting NAT?)

And now there is a *really* strange behaviour: In the log I can see, that all 
packets can pass the firewall successfully, but the ones sent from the client 
back to the server are blocked after ONE packet has already been transmitted 
back to the server successfully. As if the 'stateful' information has been 
lost in the middle of the connection.

I tried this with other protocols as 80 and was able to reproduce it. The only 
thing I could get working was ICMP from server to client.

Any ideas are really appreciated and donated with bows and hugs :)

And yes, I turned off this one option saying "Block private networks"... tried 
with 1.11 - will try with the latest beta tomorrow.

Thanks,

Stephan