[ previous ] [ next ] [ threads ]
 
 From:  berek at rz dot uni dash leipzig dot de
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  firewall lets ports pass although blocked
 Date:  Wed, 09 Nov 2005 13:32:14 +0100
hi,

i'm using m0n0 for some years now. but now the firewall seems to let connections
be established that should be blocked.

my setup:

(inet) --- WAN-iface-(m0n0)-WLAN-iface --- (linksys-node) --- (OLSR wlan net
with some dozens NATted nodes)

i've set up a bunch of allow rules for the WLAN interface outbound to everywhere
(see list below).  but if i have a glance at the traffic passing the
linksys-wlan-node, from time to time i see tcp-connections (usually with heavy
traffic) from some of the wlan-nodes to the internet on ports that are
definitely NOT allowed in my list. thus they normally should be blocked by the
default blocking rule of the WLAN interface. but they pass through, as i can
see in the output of iptraf on the linksys. the ports that were passed the last
time were different ones between 62000 and 63000.

i double-checked the rule list and found no hole. has anybody an idea? as for
now i can't trust my firewall anymore - if it ignores my blocking wishes.

i'm using m0n0 1.11 on a standard PIII-PC
i've checked the FAQ, the m0n0-list archive and google for my problem and found
no answer.
(the m0n0 box also has a LAN interface, of course)
the WLAN interface has the hardware name fxp0.

thanx for your patience and help,

yours,
mathias

here the firewall rules (i can post the output of the HTMLpage with the rules as
well if someone wants me to):
::::::::
ipfstat -nio

@1 pass out quick on lo0 from any to any
@2 pass out quick on ed0 proto udp from 192.168.0.20/32 port = 67 to any port =
68
@3 pass out quick on fxp0 proto udp from 10.139.77.5/32 port = 67 to any port =
68
@4 pass out quick on fxp0 from 10.139.77.0/24 to 10.0.0.0/8
@5 pass out quick on fxp0 from 10.0.0.0/8 to 10.139.77.0/24
@6 pass out quick on ed0 from 192.168.0.0/24 to 10.42.77.0/24
@7 pass out quick on ed0 from 10.42.77.0/24 to 192.168.0.0/24
@8 pass out quick on ed0 from 192.168.0.0/24 to 192.168.200.0/24
@9 pass out quick on ed0 from 192.168.200.0/24 to 192.168.0.0/24
@10 pass out quick on dc0 proto udp from any port = 68 to any port = 67
@11 pass out quick on ed0 from any to any keep state
@12 pass out quick on dc0 from any to any keep state
@13 pass out quick on fxp0 from any to any keep state
@14 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on ed0 proto udp from any port = 68 to 255.255.255.255/32 port
= 67
@5 pass in quick on ed0 proto udp from any port = 68 to 192.168.0.20/32 port =
67
@6 pass in quick on fxp0 proto udp from any port = 68 to 255.255.255.255/32 port
= 67
@7 pass in quick on fxp0 proto udp from any port = 68 to 10.139.77.5/32 port =
67
@8 pass in quick on fxp0 from 10.139.77.0/24 to 10.0.0.0/8
@9 pass in quick on fxp0 from 10.0.0.0/8 to 10.139.77.0/24
@10 pass in quick on ed0 from 192.168.0.0/24 to 10.42.77.0/24
@11 pass in quick on ed0 from 10.42.77.0/24 to 192.168.0.0/24
@12 pass in quick on ed0 from 192.168.0.0/24 to 192.168.200.0/24
@13 pass in quick on ed0 from 192.168.200.0/24 to 192.168.0.0/24
@14 block in log quick on dc0 from 192.168.0.0/24 to any
@15 block in log quick on dc0 from 10.139.77.0/24 to any
@16 block in log quick on dc0 proto udp from any port = 67 to 192.168.0.0/24
port = 68
@17 pass in quick on dc0 proto udp from any port = 67 to any port = 68
@18 skip 3 in on ed0 from 10.42.77.0/24 to any
@19 skip 2 in on ed0 from 192.168.200.0/24 to any
@20 skip 1 in on ed0 from 192.168.0.0/24 to any
@21 block in log quick on ed0 from any to any
@22 skip 2 in on fxp0 from 10.0.0.0/8 to any
@23 skip 1 in on fxp0 from 10.139.77.0/24 to any
@24 block in log quick on fxp0 from any to any
@25 block in log quick on dc0 from 10.0.0.0/8 to any
@26 block in log quick on dc0 from 127.0.0.0/8 to any
@27 block in log quick on dc0 from 172.16.0.0/12 to any
@28 block in log quick on dc0 from 192.168.0.0/16 to any
@29 skip 1 in proto tcp from any to any flags S/FSRA
@30 block in log quick proto tcp from any to any
@31 block in log quick on ed0 from any to any head 100
@1 pass in quick from 192.168.0.0/24 to 192.168.0.20/32 keep state group 100
@2 pass in quick from 192.168.0.0/24 to any keep state group 100
@32 block in log quick on dc0 from any to any head 200
@1 block in quick proto tcp/udp from any to any port 136 >< 139 group 200
@2 block in quick proto tcp/udp from any to any port = microsoft-ds group 200
@33 block in log quick on fxp0 from any to any head 300
@1 pass in quick proto tcp from 10.11.79.1/32 to 192.168.0.0/24 port 20 >< 23
keep state group 300
@2 pass in quick proto tcp from 10.11.79.1/32 to 192.168.0.0/24 port = 443 keep
state group 300
@3 pass in quick proto tcp from 10.11.79.1/32 to 192.168.0.0/24 port 1974 ><
1978 keep state group 300
@4 pass in quick proto igmp from 10.11.79.1/32 to 192.168.0.0/24 keep state
group 300
@5 pass in quick proto tcp from 10.11.75.2/32 to 192.168.0.0/24 port 20 >< 23
keep state group 300
@6 pass in quick proto tcp from 10.11.75.2/32 to 192.168.0.0/24 port = 443 keep
state group 300
@7 pass in quick proto tcp from 10.11.75.2/32 to 192.168.0.0/24 port 1974 ><
1978 keep state group 300
@8 pass in quick proto igmp from 10.11.75.2/32 to 192.168.0.0/24 keep state
group 300
@9 pass in quick proto tcp/udp from 10.11.75.2/32 to any port 10020 >< 10026
keep state group 300
@10 block in log quick from any to 192.168.0.0/24 group 300
@11 block in quick proto tcp/udp from any port 136 >< 139 to any group 300
@12 pass in quick proto tcp from 10.0.0.0/8 to 192.168.200.2/32 port 20 >< 81
keep state group 300
@13 pass in quick proto tcp from 10.0.0.0/8 to 192.168.200.2/32 port = 443 keep
state group 300
@14 pass in quick proto tcp from 10.0.0.0/8 to 192.168.200.2/32 port 1023 ><
65001 keep state group 300
@15 pass in quick proto tcp/udp from 10.0.0.0/8 to any port = domain keep state
group 300
@16 pass in quick proto udp from 10.0.0.0/8 to any port = 123 keep state group
300
@17 pass in quick proto tcp from 10.0.0.0/8 to any port = 37 keep state group
300
@18 pass in quick proto tcp from 10.0.0.0/8 to any port = 80 keep state group
300
@19 pass in quick proto tcp from 10.0.0.0/8 to any port = 443 keep state group
300
@20 pass in quick proto tcp from 10.11.0.0/16 to any port = 110 keep state group
300
@21 pass in quick proto tcp from 10.11.0.0/16 to any port = 143 keep state group
300
@22 pass in quick proto tcp from 10.11.0.0/16 to any port = 22 keep state group
300
@23 pass in quick proto tcp from 10.11.0.0/16 to any port = 21 keep state group
300
@24 pass in quick proto tcp from 10.11.0.0/16 to any port = 25 keep state group
300
@25 pass in quick proto tcp from 10.11.0.0/16 to any port = 995 keep state group
300
@26 pass in quick proto tcp from 10.11.0.0/16 to any port = 585 keep state group
300
@27 pass in quick proto tcp from 10.11.0.0/16 to any port = 993 keep state group
300
@28 pass in quick proto tcp from 10.11.0.0/16 to any port 5221 >< 5224 keep
state group 300
@29 pass in quick proto tcp from 10.11.0.0/16 to any port = 8080 keep state
group 300
@30 pass in quick proto tcp from 10.11.0.0/16 to any port = 5190 keep state
group 300
@31 pass in quick proto tcp/udp from 10.11.79.2/32 to any port = nntp keep state
group 300
@32 pass in quick proto tcp from 10.11.0.0/16 to 217.160.167.26/32 port = 22222
keep state group 300
@33 pass in quick proto icmp from 10.11.0.0/16 to any keep state group 300
@34 pass in quick proto udp from 10.0.0.0/8 to any port = 5000 keep state group
300
@35 pass in quick proto tcp/udp from 10.11.0.0/16 to any port 5153 >< 5156 keep
state group 300
@36 pass in quick proto tcp from 10.11.0.0/16 to any port 6666 >< 6669 keep
state group 300
@37 pass in quick proto tcp from 10.11.0.0/16 to any port 7999 >< 8129 keep
state group 300
@38 pass in quick proto tcp from 10.11.0.0/16 to any port = 8800 keep state
group 300
@39 pass in quick proto tcp from 10.11.0.0/16 to any port = 9540 keep state
group 300
@40 pass in quick proto tcp from 10.11.0.0/16 to any port = 23724 keep state
group 300
@41 pass in quick proto tcp from 10.11.0.0/16 to any port = 9210 keep state
group 300
@42 pass in quick proto tcp from 10.11.0.0/16 to any port 9000 >< 9034 keep
state group 300
@43 pass in quick proto tcp from 10.11.0.0/16 to any port = 10001 keep state
group 300
@44 pass in quick proto tcp from 10.11.0.0/16 to any port = 873 keep state group
300
@45 pass in quick proto tcp from 10.11.0.0/16 to any port = 2500 keep state
group 300
@46 pass in quick proto tcp from 10.11.0.0/16 to any port = 3500 keep state
group 300
@47 pass in quick proto tcp from 10.11.0.0/16 to any port 20079 >< 20083 keep
state group 300
@48 pass in quick proto tcp from 10.11.0.0/16 to any port = 8180 keep state
group 300
@49 pass in quick proto tcp from 10.11.0.0/16 to any port = 3900 keep state
group 300
@50 pass in quick proto tcp/udp from 10.11.0.0/16 to any port = cvspserver keep
state group 300
@51 pass in quick proto tcp/udp from 10.11.0.0/16 to any port = 5999 keep state
group 300
@52 pass in quick proto tcp/udp from 10.11.0.0/16 to any port = 10000 keep state
group 300
@53 pass in quick proto tcp/udp from 10.11.0.0/16 to any port = 2064 keep state
group 300
@54 pass in quick proto tcp from 10.11.0.0/16 to any port 51999 >< 52002 keep
state group 300
@55 pass in quick proto tcp from 10.11.0.0/16 to any port = 554 keep state group
300
@56 pass in quick proto tcp from 10.11.0.0/16 to any port = 7070 keep state
group 300
@57 pass in quick proto tcp from 10.11.0.0/16 to any port = 3306 keep state
group 300
@58 pass in quick proto udp from 10.0.0.0/8 to any port 33433 >< 33535 keep
state group 300
@59 pass in quick proto tcp/udp from 10.11.0.0/16 to any port = 8880 keep state
group 300
@34 block in log quick from any to any
::::::::::::::::::::::::::::::::

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.