[ previous ] [ next ] [ threads ]
 
 From:  "Anastasija Bosiha" <anastasija dot bosiha at gmail dot com>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] default firewall rule
 Date:  Tue, 24 May 2005 13:34:05 +0300 
I have static route on m0n0wall (192.168.2.254):
      LAN  10.2.2.0/16  192.168.2.253

It is not enough?

Packets are dropped because they have no start. And really: start packets go
directly from 192.168.3.253 router to any computer in the LAN
(192.168.2.0/16), and then reply packets go through another router
(m0n0wall,192.168.2.253), which drop they, because they haven't start.
So packets at first are analyzed, and only then routed to another router.

Anastasija.

----- Original Message ----- 
From: "Chris Buechler" <cbuechler at gmail dot com>
To: "Anastasija Bosiha" <anastasija dot bosiha at gmail dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, May 24, 2005 5:48 AM
Subject: Re: [m0n0wall] default firewall rule


On 5/23/05, Anastasija Bosiha <anastasija dot bosiha at gmail dot com> wrote:
> Hello to All!
>
> About 1 month I'm using m0n0wall, and I had following problem. Our LAN
> (192.168.2.0/24) have two gateways/routers:
> - one for Internet (192.168.2.253)
> - second (192.168.254) for tunneling to another office. Second office has
> LAN: 10.2.2.0/16.
>
> I------------------I ---- 192.168.2.254 (m0n0wall)
> I (192.168.2.0/24) I                               I -------------I
> I------------------I ---- 192.168.2.253 -----------I 10.2.2.0/24  I
>                                                    I -------------I
> All computers from network 192.168.2.0/24 have as default router
> 192.168.2.254.
> 192.168.2.254 has static route for 10.2.2.0/24 network to 192.168.2.253
> router.
>
> So problems are following:
> 1. Computers from 10.2.2.0/16 network cannot access to 192.168.2.0/24
> network resources. For example computer 10.2.2.5 try to connect to
> 192.168.2.6 computer. When 192.168.2.6 comp recievs packet from 10.2.2.5
> comp, it send reply through 192.168.2.254, and m0n0wall blocks this packet
> because of default firewall rule 19:
>
> @18 skip 1 in proto tcp from any to any flags S/FSRA
> @19 block in log quick proto tcp from any to any
>
> How I can modify firewall default ruleset or make network 10.2.2.0/16 as
> trusted network, so that packets from this network will never blocked?
>

Looks like you're getting hit by the antispoofing rule because you're
missing a static route on m0n0wall to that network.  Add the static
route and it won't hit that rule anymore.

-Chris