Re: [m0n0wall] Problem with Bridging and NAT

From:	Alan Schmitz <alan at ankeny dot net>
To:	Manuel Kasper <mk at neon1 dot net>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Problem with Bridging and NAT
Date:	Fri, 19 Dec 2003 22:37:25 -0600

On Dec 19, 2003, at 3:28 PM, Manuel Kasper wrote:

> On 19.12.2003, at 04:09, Alan Schmitz wrote:
>
>> I did some additional testing between the LAN and the DMZ.  When I 
>> ping the server in the DMZ from a workstation on the LAN, I don't get 
>> any entries in the firewall log.  If I try to connect to port 80 on 
>> the DMZ server from the LAN workstation, I get the following errors 
>> in the firewall log:
>
> Try "ipfstat -nio" in /exec.php, and then you'll at least find out 
> what the rule that is blocking your packets (@0:12) looks like...

That rule looks like:

    @12 block in quick proto tcp from any to any

which seems awfully generic.  Without much of an understanding of how 
the rules are supposed to work together, I'd have to guess that the 
packets aren't supposed to get that far down the list of rules.

Until I learn more about how these rules work, I think I'll have to 
assume that the NAT isn't recognizing return traffic that comes through 
a bridged interface which isn't included in the NAT state.

-Alan