[ previous ] [ next ] [ threads ]
 
 From:  Alan Schmitz <alan at ankeny dot net>
 To:  bmah at acm dot org
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with Bridging and NAT
 Date:  Thu, 18 Dec 2003 21:09:45 -0600
On Dec 18, 2003, at 12:38 PM, Bruce A. Mah wrote:

> If memory serves me right, Alan Schmitz wrote:
>> On Thu, 18 Dec 2003, Bruce A. Mah wrote:
>>
>>> I think that further diagnosis might require seeing the IPFilter
>>> rulesets installed on your m0n0wall box.  Is it possible for you to 
>>> get
>>> this output and post some sanitized version of them?
>>
>> I'll post a cleaned-up version of my rules, when I'm back on the LAN 
>> side
>> of the firewall tonight.  I'm also going to run a tcpdump from the 
>> server
>> in the DMZ.
>
> OK, that'll be helpful information.

I ran tcpdump on the server in the DMZ, and it looks like the bridge is 
working correctly.  pings get to the server, and it sends responses 
back to the firewall.

I pasted the rules from the output of the status.php page below.  sis0 
is the LAN, sis1 is the WAN, and sis2 is the DMZ.  .25 is the 
firewall's IP address on the WAN, and .29 is the address of the server 
in the DMZ.

pass out quick on lo0 from any to any
pass out quick on sis0 proto udp from 192.168.1.1/32 port = 67 to any 
port = 68
pass out quick on sis1 proto udp from any port = 68 to any port = 67
block out quick on sis0 from any to any head 150
pass out quick proto udp from 192.168.1.1/32 to 192.168.1.0/24 port = 
53 keep state group 150
pass out quick proto udp from 192.168.1.1/32 to 192.168.1.0/24 port = 
514 keep state group 150
pass out quick proto icmp from 192.168.1.1/32 to 192.168.1.0/24 keep 
state group 150
block out quick on sis1 from any to any head 250
pass out quick proto tcp from any to any keep state group 250
pass out quick proto udp from any to any keep state group 250
pass out quick proto icmp from any to any keep state group 250
block out quick on sis2 from any to any head 350
pass out quick proto udp from aaa.bbb.ccc.25/32 to aaa.bbb.ccc.24/29 
port = 53 keep state group 350
pass out quick proto udp from aaa.bbb.ccc.25/32 to aaa.bbb.ccc.24/29 
port = 514 keep state group 350
pass out quick proto icmp from aaa.bbb.ccc.25/32 to aaa.bbb.ccc.24/29 
keep state group 350
block out quick from any to any
pass in quick on lo0 from any to any
block in quick from any to any with short
block in quick from any to any with ipopt
pass in quick on sis0 proto udp from any port = 68 to 
255.255.255.255/32 port = 67
pass in quick on sis0 proto udp from any port = 68 to 192.168.1.1/32 
port = 67
block in log quick on sis1 from 192.168.1.0/24 to any
block in log quick on sis1 proto udp from any port = 67 to 
192.168.1.0/24 port = 68
pass in quick on sis1 proto udp from any port = 67 to any port = 68
block in quick on sis0 from !192.168.1.0/24 to any
block in quick on sis2 from !aaa.bbb.ccc.24/29 to any
skip 1 in proto tcp from any to any flags S/FSRA
block in quick proto tcp from any to any
block in quick on sis0 from any to any head 100
pass in quick from 192.168.1.0/24 to 192.168.1.1/32 keep state group 100
pass in quick from 192.168.1.0/24 to any keep state group 100
block in log quick on sis1 from any to any head 200
pass in quick proto gre from any to 127.0.0.1/32 keep state group 200
pass in quick proto tcp from any to 127.0.0.1/32 port = 1723 keep state 
group 200
pass in quick proto tcp from any to aaa.bbb.ccc.29/32 port = 22 keep 
state keep frags group 200
pass in quick proto tcp from any to aaa.bbb.ccc.29/32 port = 25 keep 
state keep frags group 200
pass in quick proto tcp from any to aaa.bbb.ccc.29/32 port = 80 keep 
state keep frags group 200
pass in quick proto tcp from any to aaa.bbb.ccc.29/32 port = 443 keep 
state keep frags group 200
block in quick on sis2 from any to any head 300
pass in quick proto udp from aaa.bbb.ccc.29/32 to 192.168.1.100/32 port 
849 >< 855 keep state keep frags group 300
pass in quick from any to any keep state keep frags group 300
block in quick from any to any

I did some additional testing between the LAN and the DMZ.  When I ping 
the server in the DMZ from a workstation on the LAN, I don't get any 
entries in the firewall log.  If I try to connect to port 80 on the DMZ 
server from the LAN workstation, I get the following errors in the 
firewall log:

19:40:05.789513 sis2 @0:12 B aaa.bbb.ccc.29,80 -> aaa.bbb.ccc.25,8628 
PR tcp len 20 48 -AS IN
19:39:17.337786 sis2 @0:12 B aaa.bbb.ccc.29,80 -> aaa.bbb.ccc.25,8628 
PR tcp len 20 48 -AS IN
19:38:52.967931 sis2 @0:12 B aaa.bbb.ccc.29,80 -> aaa.bbb.ccc.25,8628 
PR tcp len 20 48 -AS IN
19:38:40.038532 2x sis2 @0:12 B aaa.bbb.ccc.29,80 -> 
aaa.bbb.ccc.25,8628 PR tcp len 20 48 -AS IN
19:38:34.029709 2x sis2 @0:12 B aaa.bbb.ccc.29,80 -> 
aaa.bbb.ccc.25,8628 PR tcp len 20 48 -AS IN
19:38:31.075338 sis2 @0:12 B aaa.bbb.ccc.29,80 -> aaa.bbb.ccc.25,8628 
PR tcp len 20 48 -AS IN

I thought I wrote a really open ended rule that allowed all traffic 
coming in the DMZ port to go anywhere, so I'm not sure what's blocking 
it.

Let me know if you've got any ideas.

Thanks,
Alan