[ previous ] [ next ] [ threads ]
 
 From:  Seth Rothenberg <seth at pachai dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  port 80 blocked
 Date:  Tue, 12 Jul 2005 18:18:57 -0400 (EDT)
I wonder if another pair of eyes could look at my config....
I have a m0n0wall set up with hostap....
this has worked before, possibly haven't used
it since migrating from 1.2b3->1.2b8


I connect instantaneously (via engenius 802.11b client bridge),
I can ping m0n0, my web server (LAN), and google.com
but browsing to anything gets me message about rejected.
I saw the ICMP messages in the log,
did not see rejected messages.

The config is below, but I deleted passwords and keys
and the whole captive portal html.
(portal is disabled, if I am not mistaken)

Thanks
Seth


	<m0n0wall>
<version>1.4</version>
-
	<system>
<hostname>126</hostname>
<domain>pachai.org</domain>
<dnsallowoverride/>
<username>admin</username>
<password/>
<timezone>EST5EDT</timezone>
<time-update-interval>300</time-update-interval>
<timeservers>pool.ntp.org</timeservers>
-
	<webgui>
<protocol>https</protocol>
<port/>
<certificate/>
<private-key>=</private-key>
<expanddiags/>
</webgui>
<dnsserver>216.220.96.17</dnsserver>
<dnsserver>216.220.96.18</dnsserver>
</system>
-
	<interfaces>
-
	<lan>
<if>sis0</if>
<ipaddr>10.248.126.1</ipaddr>
<subnet>8</subnet>
</lan>
-
	<wan>
<if>sis1</if>
<mtu/>
<blockpriv/>
<spoofmac/>
<ipaddr>dhcp</ipaddr>
<dhcphostname/>
</wan>
-
	<opt1>
<if>wi0</if>
-
	<wireless>
<mode>hostap</mode>
<ssid>126.pachai.net</ssid>
<stationname>126.pachai.net</stationname>
<channel>1</channel>
<wep/>
</wireless>
<descr>WLAN</descr>
<ipaddr>10.248.127.1</ipaddr>
<subnet>24</subnet>
<bridge/>
<enable/>
</opt1>
-
	<opt2>
<descr>OPT2</descr>
<if>wi1</if>
-
	<wireless>
<mode>hostap</mode>
<ssid>126b.pachai.net</ssid>
<stationname/>
<channel>6</channel>
<wep/>
</wireless>
<ipaddr>10.248.19.126</ipaddr>
<subnet>24</subnet>
<bridge/>
<enable/>
</opt2>
</interfaces>
<staticroutes/>
<pppoe/>
<pptp/>
<bigpond/>
-
	<dyndns>
<type>dyndns</type>
<username>pachai.org</username>
<password>821A17C5-F42E-4FD3-B33A-2268D940B9C8</password>
<host>wm</host>
<mx/>
<enable/>
</dyndns>
-
	<dhcpd>
-
	<lan>
-
	<range>
<from>10.248.126.100</from>
<to>10.248.126.150</to>
</range>
<defaultleasetime>600</defaultleasetime>
<maxleasetime>7200</maxleasetime>
</lan>
-
	<opt1>
-
	<range>
<from>10.248.127.100</from>
<to>10.248.127.199</to>
</range>
<defaultleasetime>1000</defaultleasetime>
<maxleasetime/>
<enable/>
</opt1>
-
	<opt2>
-
	<range>
<from>10.248.19.210</from>
<to>10.248.19.240</to>
</range>
<defaultleasetime>600</defaultleasetime>
<maxleasetime>7200</maxleasetime>
<enable/>
</opt2>
</dhcpd>
-
	<pptpd>
<mode>server</mode>
<redir/>
<localip>216.220.103.181</localip>
<remoteip>10.248.126.80</remoteip>
-
	<radius>
<server/>
<secret/>
</radius>
-
	<user>
<name>pachai</name>
<ip/>
<password>tariag613</password>
</user>
-
	<user>
<name>rcantorj1</name>
<ip/>
<password>riccardo</password>
</user>
-
	<user>
<name>test</name>
<ip/>
<password>test613</password>
</user>
-
	<user>
<name>pachai180</name>
<ip>216.220.103.180</ip>
<password>tariag613</password>
</user>
</pptpd>
-
	<dnsmasq>
<enable/>
</dnsmasq>
-
	<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
-
	<diag>
-
	<ipv6nat>
<ipaddr/>
</ipv6nat>
</diag>
<bridge/>
-
	<syslog>
<nentries>300</nentries>
<remoteserver>10.248.126.199</remoteserver>
<filter/>
<dhcp/>
<system/>
<enable/>
<reverse/>
</syslog>
-
	<nat>
-
	<rule>
<protocol>tcp</protocol>
<external-port>22</external-port>
<target>10.248.126.181</target>
<local-port>22</local-port>
<interface>wan</interface>
<descr>ssh -> eix</descr>
</rule>
-
	<rule>
<protocol>tcp</protocol>
<external-port>22</external-port>
<target>10.248.126.181</target>
<local-port>22</local-port>
<interface>opt1</interface>
<descr>WLAN SSH->eix</descr>
</rule>
-
	<rule>
<protocol>tcp</protocol>
<external-port>80</external-port>
<target>10.248.126.181</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>http ->  eix</descr>
</rule>
-
	<rule>
<protocol>tcp</protocol>
<external-port>80</external-port>
<target>10.248.126.181</target>
<local-port>80</local-port>
<interface>opt1</interface>
<descr>WLAN HTTP->eix</descr>
</rule>
-
	<rule>
<protocol>tcp</protocol>
<external-port>81</external-port>
<target>10.248.126.199</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>81->walix</descr>
</rule>
-
	<rule>
<protocol>tcp</protocol>
<external-port>2022</external-port>
<target>10.248.126.181</target>
<local-port>22</local-port>
<interface>wan</interface>
<descr>ssh->eix</descr>
</rule>
-
	<rule>
<protocol>tcp</protocol>
<external-port>2080</external-port>
<target>10.248.126.199</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>2080->walix web</descr>
</rule>
-
	<rule>
<protocol>tcp</protocol>
<external-port>5800</external-port>
<target>10.248.126.126</target>
<local-port>5800</local-port>
<interface>wan</interface>
<descr>VNC</descr>
</rule>
-
	<rule>
<protocol>tcp</protocol>
<external-port>5900</external-port>
<target>10.248.126.126</target>
<local-port>5900</local-port>
<interface>wan</interface>
<descr>VNC</descr>
</rule>
-
	<rule>
<protocol>tcp/udp</protocol>
<external-port>22</external-port>
<target>10.248.126.199</target>
<local-port>22</local-port>
<interface>opt2</interface>
<descr>forward ssh</descr>
</rule>
-
	<rule>
<protocol>tcp/udp</protocol>
<external-port>80</external-port>
<target>10.248.126.199</target>
<local-port>80</local-port>
<interface>opt2</interface>
<descr>forward http</descr>
</rule>
-
	<rule>
<protocol>tcp</protocol>
<external-port>8888</external-port>
<target>10.248.126.199</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>8888->walix</descr>
</rule>
</nat>
-
	<filter>
-
	<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>67.84.210.82</address>
<port>443</port>
</destination>
<descr>WAN-> me</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>67.84.210.82</address>
<port>22</port>
</destination>
<descr>WAN-> me</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>67.84.210.82</address>
<port>2022</port>
</destination>
<descr>WAN-> me</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.181</address>
<port>80</port>
</destination>
<descr>WAN NAT-> eix </descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.181</address>
<port>22</port>
</destination>
<descr>WAN NAT-> eix</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>esp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<any/>
</destination>
<descr>IPSEC TUNNEL</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>icmp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>67.84.210.82</address>
</destination>
<descr>Respond to pings - diagnostic only</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>udp</protocol>
-
	<source>
<any/>
<port>33434-33523</port>
</source>
-
	<destination>
<any/>
<port>33434-33523</port>
</destination>
<descr>Allow WAN to traceroute anywhere</descr>
</rule>
-
	<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.2</address>
<port>443</port>
</destination>
<descr>NAT https from wan, other port#</descr>
</rule>
-
	<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.199</address>
<port>80</port>
</destination>
<descr>NAT 2080->walix web</descr>
</rule>
-
	<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.181</address>
<port>22</port>
</destination>
<descr>NAT ssh->eix</descr>
</rule>
-
	<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.199</address>
<port>80</port>
</destination>
<descr>NAT 81->walix</descr>
</rule>
-
	<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.126</address>
<port>5900</port>
</destination>
<descr>NAT VNC</descr>
</rule>
-
	<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.126</address>
<port>5800</port>
</destination>
<descr>NAT VNC</descr>
</rule>
-
	<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.199</address>
<port>80</port>
</destination>
<descr>NAT 8888->walix</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>pptp</interface>
<protocol>icmp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<any/>
</destination>
<descr>Allow pings from PPTP</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>pptp</interface>
-
	<source>
<any/>
</source>
-
	<destination>
<any/>
</destination>
<descr>Allow PPTP to go anywhere</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>pptp</interface>
<protocol>udp</protocol>
-
	<source>
<any/>
<port>33434-33523</port>
</source>
-
	<destination>
<any/>
<port>33434-33523</port>
</destination>
<descr>Allow PPTP to traceroute anywhere</descr>
</rule>
-
	<rule>
<type>block</type>
<interface>opt2</interface>
<protocol>tcp</protocol>
-
	<source>
<network>opt2</network>
<port>25</port>
</source>
-
	<destination>
<any/>
<port>25</port>
</destination>
<descr>Block smtp on WLAN</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt2</interface>
<protocol>icmp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.19.126</address>
</destination>
<descr>Allow pings</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt2</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.19.126</address>
<port>443</port>
</destination>
<descr>opt2  https</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt2</interface>
<protocol>tcp/udp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.199</address>
<port>22</port>
</destination>
<descr>Allow pings</descr>
</rule>
-
	<rule>
<interface>opt2</interface>
<protocol>tcp/udp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.199</address>
<port>80</port>
</destination>
<descr>NAT forward http</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
<protocol>udp</protocol>
-
	<source>
<any/>
<port>33434-33523</port>
</source>
-
	<destination>
<any/>
<port>33434-33523</port>
</destination>
<descr>Allow OPT1 to traceroute anywhere</descr>
</rule>
-
	<rule>
<type>block</type>
<interface>opt1</interface>
<protocol>tcp</protocol>
-
	<source>
<network>opt1</network>
<port>25</port>
</source>
-
	<destination>
<any/>
<port>25</port>
</destination>
<descr>Block smtp on WLAN</descr>
<disabled/>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
-
	<source>
<network>opt1</network>
</source>
-
	<destination>
<any/>
</destination>
<log/>
<descr>WLAN -> any</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
<protocol>tcp</protocol>
-
	<source>
<network>opt1</network>
</source>
-
	<destination>
<address>216.239.39.99</address>
<port>80</port>
</destination>
<log/>
<descr>WLAN -> google</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
-
	<source>
<network>opt1</network>
</source>
-
	<destination>
<address>10.248.126.199</address>
</destination>
<descr>allow WLAN to my server</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
-
	<source>
<network>opt1</network>
</source>
-
	<destination>
<address>10.248.126.0/24</address>
<not/>
</destination>
<descr>allow WLAN to anywhere but LAN</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
<protocol>icmp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.127.1</address>
</destination>
<descr>OPT1 allow ping</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
<protocol>icmp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.0.0/16</address>
</destination>
<descr>OPT1 allow ping</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
-
	<source>
<any/>
</source>
-
	<destination>
<address>67.84.210.82</address>
</destination>
<descr>OPT1 allow anything to WAN</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
-
	<source>
<any/>
</source>
-
	<destination>
<address>64.81.200.131</address>
</destination>
<descr>OPT1 allow anything to Gutmann</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.127.1</address>
<port>443</port>
</destination>
<descr>OPT1 allow https in</descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>opt1</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.127.1</address>
</destination>
<descr>OPT1 allow anything in - later, just pptp</descr>
</rule>
-
	<rule>
<interface>opt1</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.181</address>
<port>22</port>
</destination>
<descr>NAT WLAN SSH->eix</descr>
</rule>
-
	<rule>
<type>reject</type>
<interface>opt1</interface>
<protocol>tcp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<any/>
</destination>
<log/>
<descr>block all remaining and log </descr>
</rule>
-
	<rule>
<type>pass</type>
<interface>lan</interface>
<protocol>icmp</protocol>
-
	<source>
<any/>
</source>
-
	<destination>
<address>10.248.126.2</address>
</destination>
<descr>LAN allow ping</descr>
</rule>
-
	<rule>
<type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
-
	<source>
<network>lan</network>
</source>
-
	<destination>
<any/>
</destination>
</rule>
-
	<rule>
<type>pass</type>
<interface>lan</interface>
-
	<source>
<any/>
</source>
-
	<destination>
<any/>
</destination>
<descr>Default LAN -> any</descr>
</rule>
<tcpidletimeout/>
</filter>
<shaper/>
-
	<ipsec>
-
	<mobileclients>
<enable/>
-
	<p1>
<mode>aggressive</mode>
-
	<myident>
<myaddress/>
</myident>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime/>
</p1>
-
	<p2>
<protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
<encryption-algorithm-option>cast128</encryption-algorithm-option>
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>0</pfsgroup>
<lifetime/>
</p2>
</mobileclients>
<enable/>
-
	<tunnel>
<auto/>
<interface>wan</interface>
-
	<local-subnet>
<network>lan</network>
</local-subnet>
<remote-subnet>10.248.56.0/24</remote-subnet>
<remote-gateway>64.81.200.131</remote-gateway>
-
	<p1>
<mode>aggressive</mode>
-
	<myident>
<myaddress/>
</myident>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>2800</lifetime>
<pre-shared-key>psk613</pre-shared-key>
</p1>
-
	<p2>
<protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
<encryption-algorithm-option>cast128</encryption-algorithm-option>
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>2800</lifetime>
</p2>
<descr>Tunnel to Allwood</descr>
</tunnel>
-
	<tunnel>
<auto/>
<interface>wan</interface>
-
	<local-subnet>
<network>lan</network>
</local-subnet>
<remote-subnet>10.248.57.0/24</remote-subnet>
<remote-gateway>64.81.200.131</remote-gateway>
-
	<p1>
<mode>aggressive</mode>
-
	<myident>
<myaddress/>
</myident>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>3600</lifetime>
<pre-shared-key>psk613</pre-shared-key>
</p1>
-
	<p2>
<protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
<encryption-algorithm-option>cast128</encryption-algorithm-option>
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>0</pfsgroup>
<lifetime>3600</lifetime>
</p2>
<descr>126 => 57</descr>
</tunnel>
</ipsec>
<aliases/>
<proxyarp/>
<captiveportal>
	</captiveportal>
<lastchange>1121217226</lastchange>
</m0n0wall>