[ previous ] [ next ] [ threads ]
 
 From:  "Jeroen Visser" <monowall at forty dash two dot nl>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Losts of traffic dropped
 Date:  Mon, 3 Oct 2005 15:09:57 +0200
Forgot to include important data.

Here's the output from my status.php.
Passwords + certificates removed and a bit shorter.

Also I've been reading on and found not much more on why this happens.
The rules on the interfaces are to allow ALL. (for the sake of testing).

-- Jeroen Visser.


-----[snip]-----
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            169.254.0.1        UGSc        1 98539589   fxp0
10.11.23/24        169.254.0.1        UGSc        0   448124   fxp0
10.128/16          145.7.88.133       UGSc        2  1439878   fxp4
10.194/16          145.7.88.185       UGSc        0   270894   fxp3
127.0.0.1          127.0.0.1          UH          0   149040    lo0
145.7.88.132/30    link#5             UC          1        0   fxp4
145.7.88.133       00:90:1a:41:2f:ab  UHLW        1        0   fxp4    484
145.7.88.184/30    link#4             UC          1        0   fxp3
145.7.88.185       00:90:1a:41:2f:ab  UHLW        1        0   fxp3    484
169.254/30         link#1             UC          1        0   fxp0
169.254.0.1        00:0e:0c:83:07:45  UHLW        8      576   fxp0    200
172.15/24          169.254.0.1        UGSc        0   293760   fxp0
172.16             169.254.0.1        UGSc        3    47935   fxp0
172.216/22         link#3             UC         13        0   fxp2
172.216.1.1        00:08:02:20:ef:c7  UHLW        0  1209924   fxp2    743
172.216.1.2        00:0b:cd:6a:d3:47  UHLW        0   319596   fxp2   1185
172.216.1.3        00:0b:cd:24:28:a9  UHLW        0   927007   fxp2   1151
172.216.1.4        00:0b:cd:22:b1:ec  UHLW        0     1607   fxp2   1181
172.216.1.5        00:30:6e:1d:74:46  UHLW        0    96882   fxp2   1199
172.216.1.6        00:0b:cd:24:2b:60  UHLW        0   745672   fxp2   1197
172.216.1.7        00:02:a5:68:11:c7  UHLW        0   630795   fxp2    983
172.216.1.8        00:0b:cd:0c:55:51  UHLW        0   613393   fxp2   1199
172.216.1.9        00:0b:cd:6a:da:25  UHLW        0   292859   fxp2   1099
172.216.1.10       00:02:a5:51:2c:50  UHLW        0      147   fxp2    245
172.216.3.55       00:02:a5:ad:09:df  UHLW        0      141   fxp2    622
172.216.3.70       00:02:a5:8f:92:46  UHLW        0    62082   fxp2    721
172.216.3.71       00:08:02:15:62:ad  UHLW        0      278   fxp2    695
192.168.0/30       link#6             UC          1        0   fxp5
192.168.0.2        00:40:10:18:8b:fd  UHLW        0    17921   fxp5    526

ipfw show

ipfw: getsockopt(IP_FW_GET): Protocol not available

ipnat -lv

List of active MAP/Redirect filters:

List of active sessions:

List of active host mappings:

ipfstat -v

opts 0x40 name /dev/ipl
 IPv6 packets:		in 0 out 0
 input packets:		blocked 40371 passed 212278602 nomatch 0 counted 0 short 0
output packets:		blocked 1305 passed 212146560 nomatch 0 counted 0 short 0
 input packets logged:	blocked 40180 passed 1315
output packets logged:	blocked 0 passed 0
 packets logged:	input 0 output 0
 log failures:		input 0 output 0
fragment state(in):	kept 13151	lost 18	not fragmented 0
fragment state(out):	kept 13150	lost 19	not fragmented 0
packet state(in):	kept 5587261	lost 191
packet state(out):	kept 46246	lost 1305
ICMP replies:	0	TCP RSTs sent:	0
Invalid source(in):	0
Result cache hits(in):	18795813	(out):	22460886
IN Pullups succeeded:	0	failed:	0
OUT Pullups succeeded:	12809398	failed:	0
Fastroute successes:	0	failures:	0
TCP cksum fails(in):	0	(out):	0
Packet log flags set: (0)
	none

ipfstat -nio

@1 pass out quick on lo0 from any to any
@2 pass out quick on fxp2 proto udp from 172.216.1.21/32 port = 67 to any port = 68
@3 pass out quick on fxp4 from 145.7.88.132/30 to 10.128.0.0/16
@4 pass out quick on fxp4 from 10.128.0.0/16 to 145.7.88.132/30
@5 pass out quick on fxp3 from 145.7.88.184/30 to 10.194.0.0/16
@6 pass out quick on fxp3 from 10.194.0.0/16 to 145.7.88.184/30
@7 pass out quick on fxp0 proto udp from any port = 68 to any port = 67
@8 pass out quick on fxp0 proto udp from 169.254.0.2/32 port = 500 to any
@9 pass out quick on fxp0 proto esp from 169.254.0.2/32 to any
@10 pass out quick on fxp0 proto ah from 169.254.0.2/32 to any
@11 pass out quick on fxp2 proto udp from 172.216.1.21/32 port = 500 to any
@12 pass out quick on fxp2 proto esp from 172.216.1.21/32 to any
@13 pass out quick on fxp2 proto ah from 172.216.1.21/32 to any
@14 pass out quick on fxp4 proto udp from 145.7.88.134/32 port = 500 to any
@15 pass out quick on fxp4 proto esp from 145.7.88.134/32 to any
@16 pass out quick on fxp4 proto ah from 145.7.88.134/32 to any
@17 pass out quick on fxp3 proto udp from 145.7.88.186/32 port = 500 to any
@18 pass out quick on fxp3 proto esp from 145.7.88.186/32 to any
@19 pass out quick on fxp3 proto ah from 145.7.88.186/32 to any
@20 pass out quick on fxp5 proto udp from 192.168.0.1/32 port = 500 to any
@21 pass out quick on fxp5 proto esp from 192.168.0.1/32 to any
@22 pass out quick on fxp5 proto ah from 192.168.0.1/32 to any
@23 pass out quick on fxp2 from any to any keep state
@24 pass out quick on fxp0 from any to any keep state
@25 pass out quick on fxp4 from any to any keep state
@26 pass out quick on fxp3 from any to any keep state
@27 pass out quick on fxp5 from any to any keep state
@28 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on fxp2 proto udp from any port = 68 to 255.255.255.255/32 port = 67
@5 pass in quick on fxp2 proto udp from any port = 68 to 172.216.1.21/32 port = 67
@6 skip 2 in on fxp4 from any to 145.7.88.134/32
@7 pass in quick on fxp4 from 145.7.88.132/30 to 10.128.0.0/16
@8 pass in quick on fxp4 from 10.128.0.0/16 to 145.7.88.132/30
@9 skip 2 in on fxp3 from any to 145.7.88.186/32
@10 pass in quick on fxp3 from 145.7.88.184/30 to 10.194.0.0/16
@11 pass in quick on fxp3 from 10.194.0.0/16 to 145.7.88.184/30
@12 block in log quick on fxp0 from 172.216.0.0/22 to any
@13 block in log quick on fxp0 from 145.7.88.132/30 to any
@14 block in log quick on fxp0 from 145.7.88.184/30 to any
@15 block in log quick on fxp0 from 192.168.0.0/30 to any
@16 block in log quick on fxp0 proto udp from any port = 67 to 172.216.0.0/22 port
= 68
@17 pass in quick on fxp0 proto udp from any port = 67 to any port = 68
@18 skip 1 in on fxp2 from 172.216.0.0/22 to any
@19 block in log quick on fxp2 from any to any
@20 skip 2 in on fxp4 from 10.128.0.0/16 to any
@21 skip 1 in on fxp4 from 145.7.88.132/30 to any
@22 block in log quick on fxp4 from any to any
@23 skip 2 in on fxp3 from 10.194.0.0/16 to any
@24 skip 1 in on fxp3 from 145.7.88.184/30 to any
@25 block in log quick on fxp3 from any to any
@26 skip 1 in on fxp5 from 192.168.0.0/30 to any
@27 block in log quick on fxp5 from any to any
@28 pass in quick on fxp0 proto udp from any to 169.254.0.2/32 port = 500
@29 pass in quick on fxp0 proto esp from any to 169.254.0.2/32
@30 pass in quick on fxp0 proto ah from any to 169.254.0.2/32
@31 pass in quick on fxp2 proto udp from any to 172.216.1.21/32 port = 500
@32 pass in quick on fxp2 proto esp from any to 172.216.1.21/32
@33 pass in quick on fxp2 proto ah from any to 172.216.1.21/32
@34 pass in quick on fxp4 proto udp from any to 145.7.88.134/32 port = 500
@35 pass in quick on fxp4 proto esp from any to 145.7.88.134/32
@36 pass in quick on fxp4 proto ah from any to 145.7.88.134/32
@37 pass in quick on fxp3 proto udp from any to 145.7.88.186/32 port = 500
@38 pass in quick on fxp3 proto esp from any to 145.7.88.186/32
@39 pass in quick on fxp3 proto ah from any to 145.7.88.186/32
@40 pass in quick on fxp5 proto udp from any to 192.168.0.1/32 port = 500
@41 pass in quick on fxp5 proto esp from any to 192.168.0.1/32
@42 pass in quick on fxp5 proto ah from any to 192.168.0.1/32
@43 skip 1 in proto tcp from any to any flags S/FSRA
@44 block in log quick proto tcp from any to any
@45 block in log quick on fxp2 from any to any head 100
@1 pass in quick from 172.216.0.0/22 to 172.216.1.21/32 keep state group 100
@2 pass in quick from 172.216.0.0/22 to any keep state keep frags group 100
@3 pass in quick from any to any keep state keep frags group 100
@46 block in log quick on fxp0 from any to any head 200
@1 pass in quick proto tcp from any to any keep state keep frags group 200
@2 pass in quick from any to any keep state keep frags group 200
@47 block in log quick on fxp4 from any to any head 300
@1 pass in quick proto tcp from any to any keep state keep frags group 300
@2 pass in quick from any to any keep state keep frags group 300
@48 block in log quick on fxp3 from any to any head 400
@1 pass in quick from any to any keep state keep frags group 400
@49 block in log quick on fxp5 from any to any head 500
@1 pass in quick from any to any keep state keep frags group 500
@50 block in log quick from any to any

unparsed ipnat rules

unparsed ipfilter rules

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on fxp2 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on fxp2 proto udp from any port = 68 to 172.216.1.21 port = 67
pass out quick on fxp2 proto udp from 172.216.1.21 port = 67 to any port = 68
skip 2 in on fxp4 from any to 145.7.88.134
pass in quick on fxp4 from 145.7.88.132/30 to 10.128.0.0/16
pass in quick on fxp4 from 10.128.0.0/16 to 145.7.88.132/30
pass out quick on fxp4 from 145.7.88.132/30 to 10.128.0.0/16
pass out quick on fxp4 from 10.128.0.0/16 to 145.7.88.132/30
skip 2 in on fxp3 from any to 145.7.88.186
pass in quick on fxp3 from 145.7.88.184/30 to 10.194.0.0/16
pass in quick on fxp3 from 10.194.0.0/16 to 145.7.88.184/30
pass out quick on fxp3 from 145.7.88.184/30 to 10.194.0.0/16
pass out quick on fxp3 from 10.194.0.0/16 to 145.7.88.184/30

# WAN spoof check
block in log quick on fxp0 from 172.216.0.0/22 to any
block in log quick on fxp0 from 145.7.88.132/30 to any
block in log quick on fxp0 from 145.7.88.184/30 to any
block in log quick on fxp0 from 192.168.0.0/30 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on fxp0 proto udp from any port = 68 to any port = 67
block in log quick on fxp0 proto udp from any port = 67 to 172.216.0.0/22 port = 68
pass in quick on fxp0 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
skip 1 in on fxp2 from 172.216.0.0/22 to any
block in log quick on fxp2 all
skip 2 in on fxp4 from 10.128.0.0/16 to any
skip 1 in on fxp4 from 145.7.88.132/30 to any
block in log quick on fxp4 all
skip 2 in on fxp3 from 10.194.0.0/16 to any
skip 1 in on fxp3 from 145.7.88.184/30 to any
block in log quick on fxp3 all
skip 1 in on fxp5 from 192.168.0.0/30 to any
block in log quick on fxp5 all

# Pass IKE packets
pass in quick on fxp0 proto udp from any to 169.254.0.2 port = 500
pass out quick on fxp0 proto udp from 169.254.0.2 port = 500 to any

# Pass ESP packets
pass in quick on fxp0 proto esp from any to 169.254.0.2
pass out quick on fxp0 proto esp from 169.254.0.2 to any

# Pass AH packets
pass in quick on fxp0 proto ah from any to 169.254.0.2
pass out quick on fxp0 proto ah from 169.254.0.2 to any

# Pass IKE packets
pass in quick on fxp2 proto udp from any to 172.216.1.21 port = 500
pass out quick on fxp2 proto udp from 172.216.1.21 port = 500 to any

# Pass ESP packets
pass in quick on fxp2 proto esp from any to 172.216.1.21
pass out quick on fxp2 proto esp from 172.216.1.21 to any

# Pass AH packets
pass in quick on fxp2 proto ah from any to 172.216.1.21
pass out quick on fxp2 proto ah from 172.216.1.21 to any

# Pass IKE packets
pass in quick on fxp4 proto udp from any to 145.7.88.134 port = 500
pass out quick on fxp4 proto udp from 145.7.88.134 port = 500 to any

# Pass ESP packets
pass in quick on fxp4 proto esp from any to 145.7.88.134
pass out quick on fxp4 proto esp from 145.7.88.134 to any

# Pass AH packets
pass in quick on fxp4 proto ah from any to 145.7.88.134
pass out quick on fxp4 proto ah from 145.7.88.134 to any

# Pass IKE packets
pass in quick on fxp3 proto udp from any to 145.7.88.186 port = 500
pass out quick on fxp3 proto udp from 145.7.88.186 port = 500 to any

# Pass ESP packets
pass in quick on fxp3 proto esp from any to 145.7.88.186
pass out quick on fxp3 proto esp from 145.7.88.186 to any

# Pass AH packets
pass in quick on fxp3 proto ah from any to 145.7.88.186
pass out quick on fxp3 proto ah from 145.7.88.186 to any

# Pass IKE packets
pass in quick on fxp5 proto udp from any to 192.168.0.1 port = 500
pass out quick on fxp5 proto udp from 192.168.0.1 port = 500 to any

# Pass ESP packets
pass in quick on fxp5 proto esp from any to 192.168.0.1
pass out quick on fxp5 proto esp from 192.168.0.1 to any

# Pass AH packets
pass in quick on fxp5 proto ah from any to 192.168.0.1
pass out quick on fxp5 proto ah from 192.168.0.1 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on fxp2 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp2 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on fxp0 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp0 all keep state
		
#---------------------------------------------------------------------------
# group head 300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on fxp4 all head 300

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp4 all keep state
		
#---------------------------------------------------------------------------
# group head 400 - opt2 interface
#---------------------------------------------------------------------------
block in log quick on fxp3 all head 400

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp3 all keep state
		
#---------------------------------------------------------------------------
# group head 500 - opt3 interface
#---------------------------------------------------------------------------
block in log quick on fxp5 all head 500

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp5 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 172.216.0.0/22 to 172.216.1.21 keep state group 100

# User-defined rules follow
pass in quick proto tcp from any to any keep state keep frags group 200 
pass in quick from any to any keep state keep frags group 200 
pass in quick from any to any keep state keep frags group 500 
pass in quick from any to any keep state keep frags group 400 
pass in quick proto tcp from any to any keep state keep frags group 300 
pass in quick from any to any keep state keep frags group 300 
pass in quick from 172.216.0.0/22 to any keep state keep frags group 100 
pass in quick from any to any keep state keep frags group 100 
	
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

unparsed ipfw rules

add 50000 set 4 pass all from 172.216.1.21 to any
add 50001 set 4 pass all from any to 172.216.1.21

last x system log entries
Oct  3 21:29:10 kv1 racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA established:
AH/Tunnel 145.7.88.134->10.128.4.132 spi=157557440(0x96422c0)
Oct  3 21:29:10 kv1 racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA
established: AH/Tunnel 10.128.4.132->145.7.88.134 spi=173621867(0xa59426b)
Oct  3 21:29:10 kv1 racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA established:
AH/Tunnel 145.7.88.134->10.128.4.132 spi=147378086(0x8c8cfa6)
Oct  3 21:29:18 kv1 racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new
phase 1 negotiation: 145.7.88.134[500]<=>10.128.4.132[500]
Oct  3 21:29:18 kv1 racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
Aggressive mode.
Oct  3 21:29:18 kv1 racoon: NOTIFY: oakley.c:2102:oakley_skeyid(): couldn't find
the proper pskey, try to get one by the peer's address.
Oct  3 21:29:18 kv1 racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA
established 145.7.88.134[500]-10.128.4.132[500] spi:a0233d5f731ec2ed:279cf08595094677
Oct  3 21:31:09 kv1 dnsmasq[96926]: exiting on receipt of SIGTERM
Oct  3 22:51:46 kv1 syslogd: exiting on signal 15

last 50 filter log entries

Oct  3 22:51:51 kv1 ipmon[99]: 22:51:50.765649 fxp4 @0:44 b 10.128.205.1,19074 ->
207.68.178.61,80 PR tcp len 20 40 -AF IN
Oct  3 22:51:58 kv1 ipmon[99]: 22:51:57.824470 fxp4 @0:44 b 10.128.46.0,23487 ->
213.205.34.45,80 PR tcp len 20 43 -AR IN
Oct  3 22:52:21 kv1 ipmon[99]: 22:52:20.550680 fxp4 @0:44 b 10.128.149.192,23042
-> 10.11.23.4,1302 PR tcp len 20 40 -AF IN
Oct  3 22:52:32 kv1 ipmon[99]: 22:52:31.703543 fxp4 @0:44 b 10.128.205.1,19100 ->
207.68.178.61,80 PR tcp len 20 40 -AF IN
Oct  3 22:53:16 kv1 ipmon[99]: 22:53:15.455200 fxp4 @0:44 b 10.128.205.1,19101 ->
207.68.178.61,80 PR tcp len 20 40 -AF IN
Oct  3 22:53:51 kv1 ipmon[99]: 22:53:50.599444 fxp4 @0:44 b 10.128.172.192,23691
-> 69.42.158.53,80 PR tcp len 20 40 -R IN
Oct  3 22:54:16 kv1 ipmon[99]: 22:54:15.819333 fxp4 @0:44 b 10.128.46.0,23539 ->
209.34.73.10,443 PR tcp len 20 43 -AR IN

config.xml

<?xml version="1.0"?>
<m0n0wall>
    <version>1.5</version>
    <lastchange>1128372753</lastchange>
    <system>
        <hostname>kv1</hostname>
        <domain>ced-services.nl</domain>
        <username>admin</username>
        <password>xxxxx</password>
        <timezone>Europe/Amsterdam</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>pool.ntp.org</timeservers>
        <webgui>
            <protocol>https</protocol>
            <port/>
            <certificate>xxxx</certificate>
           <private-key>xxxx</private-key>
            <expanddiags/>
        </webgui>
        <harddiskstandby/>
        <dnsserver>172.16.0.4</dnsserver>
        <dnsserver>172.16.0.15</dnsserver>
        <polling/>
    </system>
    <interfaces>
        <lan>
            <if>fxp2</if>
            <ipaddr>172.216.1.21</ipaddr>
            <subnet>22</subnet>
            <media>100baseTX</media>
            <mediaopt>full-duplex</mediaopt>
        </lan>
        <wan>
            <if>fxp0</if>
            <mtu/>
            <media/>
            <mediaopt/>
            <spoofmac/>
            <ipaddr>169.254.0.2</ipaddr>
            <subnet>30</subnet>
            <gateway>169.254.0.1</gateway>
        </wan>
        <opt1>
            <descr>MX-FLEX CED</descr>
            <if>fxp4</if>
            <ipaddr>145.7.88.134</ipaddr>
            <subnet>30</subnet>
            <media>100baseTX</media>
            <mediaopt>full-duplex</mediaopt>
            <bridge/>
            <enable/>
        </opt1>
        <opt2>
            <descr>MX-FLEX MEDITEL</descr>
            <if>fxp3</if>
            <ipaddr>145.7.88.186</ipaddr>
            <subnet>30</subnet>
            <media>100baseTX</media>
            <mediaopt>full-duplex</mediaopt>
            <bridge/>
            <enable/>
        </opt2>
        <opt3>
            <descr>EMN CAPELLE</descr>
            <if>fxp5</if>
            <ipaddr>192.168.0.1</ipaddr>
            <subnet>30</subnet>
            <media>100baseTX</media>
            <mediaopt>full-duplex</mediaopt>
            <bridge/>
            <enable/>
        </opt3>
        <opt4>
            <descr>RESERVED</descr>
            <if>fxp1</if>
            <ipaddr/>
            <subnet>31</subnet>
            <media>100baseTX</media>
            <mediaopt>full-duplex</mediaopt>
            <bridge/>
        </opt4>
    </interfaces>
    <staticroutes>
        <route>
            <interface>wan</interface>
            <network>10.11.23.0/24</network>
            <gateway>169.254.0.1</gateway>
            <descr/>
        </route>
        <route>
            <interface>opt1</interface>
            <network>10.128.0.0/16</network>
            <gateway>145.7.88.133</gateway>
            <descr/>
        </route>
        <route>
            <interface>opt2</interface>
            <network>10.194.0.0/16</network>
            <gateway>145.7.88.185</gateway>
            <descr/>
        </route>
        <route>
            <interface>wan</interface>
            <network>172.16.0.0/16</network>
            <gateway>169.254.0.1</gateway>
            <descr/>
        </route>
        <route>
            <interface>wan</interface>
            <network>172.15.0.0/24</network>
            <gateway>169.254.0.1</gateway>
            <descr/>
        </route>
    </staticroutes>
    <pppoe/>
    <pptp/>
    <bigpond/>
    <dyndns>
        <type>dyndns</type>
        <username/>
        <password/>
        <host/>
        <mx/>
    </dyndns>
    <dnsupdate/>
    <dhcpd>
        <lan>
            <range>
                <from>192.168.1.100</from>
                <to>192.168.1.199</to>
            </range>
        </lan>
    </dhcpd>
    <pptpd>
        <mode/>
        <redir/>
        <localip/>
        <remoteip/>
    </pptpd>
    <ovpn/>
    <dnsmasq/>
    <snmpd>
        <syslocation>xxxx</syslocation>
        <syscontact>xxxx</syscontact>
        <rocommunity>xxxx</rocommunity>
        <enable/>
    </snmpd>
    <diag>
        <ipv6nat>
            <ipaddr/>
        </ipv6nat>
    </diag>
    <bridge/>
    <syslog>
        <nentries>100</nentries>
        <remoteserver/>
        <reverse/>
    </syslog>
    <nat>
        <advancedoutbound>
            <enable/>
        </advancedoutbound>
    </nat>
    <filter>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <frags/>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <frags/>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>opt5</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>opt4</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <frags/>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>opt3</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <frags/>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>opt2</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <frags/>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>opt1</interface>
            <source>
                <any/>
            </source>
            <destination>
                <address>10.11.23.4</address>
            </destination>
            <log/>
            <frags/>
            <descr/>
            <disabled/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>opt1</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <frags/>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>opt1</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <frags/>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
            <frags/>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <frags/>
            <descr/>
        </rule>
        <bypassstaticroutes/>
        <tcpidletimeout/>
    </filter>
    <ipsec/>
    <aliases/>
    <proxyarp/>
    <wol/>
    <shaper>
        <magic>
            <p2plow/>
            <maxup>54000</maxup>
            <maxdown>54000</maxdown>
        </magic>
    </shaper>
</m0n0wall>


-----[snip]-----