Re: [m0n0wall] m0n0 randomly blocking, although rules are set to allow all

From:	Chris Buechler <cbuechler at gmail dot com>
To:	Nemanja Dubravac <pcmaniac at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] m0n0 randomly blocking, although rules are set to allow all
Date:	Wed, 8 Jun 2005 19:43:20 -0400

On 6/7/05, Nemanja Dubravac <pcmaniac at gmail dot com> wrote:
> 
> Behind m0n0, on the LAN side is a web, pop3 and smtp server, with vnc
> control, so the ports 80, 110, 25 and 5900 are forwarded to that server
> (192.168.2.149)
> when i try to open the http://212.62.54.214 with the browser, sometimes
> it opens the website, and most of the time it doesn't (must refresh all
> the time)

From the LAN side or WAN side?  

> 
> *Firewall log*:

the majority of this is legit dropped traffic.  Doesn't match an allow
rule on the WAN side so it gets dropped.

> 
> (I don't understand why there's difference between rl0 and WAN interface
> in the logs, when they should be the same)
> 

No, ng0 is your real WAN interface, since you're using PPPoE.  rl0
shouldn't see any traffic from the internet.  Looks to me like you
have Windows boxes plugged in outside your firewall, between the WAN
and the DSL modem?  Or else your provider does something weird that
lets NetBIOS broadcasts come to you, and not through PPPoE.

> 20:13:14.872056 rl0 @0:14 b 169.254.248.33,137 -> 169.254.255.255,137 PR
> udp len 20 78 IN

All this 169.254.x.x and 10.x.x.x garbage is Windows NetBIOS
broadcasts.  That's all that is coming in rl0.

The only legit traffic I see getting dropped is by rule @200:1.  What
rule is that?  See
http://m0n0.ch/wall/docbook/troubleshooting-firewall-rules.html

My first guess, since it's a relatively small number of drops, is
this.  http://m0n0.ch/wall/docbook/faq-legit-traffic-dropped.html  
And the refresh issue being unrelated.

-Chris