[ previous ] [ next ] [ threads ]
 
 From:  berek at rz dot uni dash leipzig dot de
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: firewall lets ports pass although blocked
 Date:  Thu, 10 Nov 2005 14:53:29 +0100
Ron Freidel wrote:
>berek at rz dot uni dash leipzig dot de wrote:
>> hi,
>> i'm using m0n0 for some years now. but now the firewall seems to let
connections
>> be established that should be blocked.
>> @55 pass in quick proto tcp from 10.11.0.0/16 to any port = 554 keep state
group
>> 300
>> @56 pass in quick proto tcp from 10.11.0.0/16 to any port = 7070 keep state
>> group 300
>> @57 pass in quick proto tcp from 10.11.0.0/16 to any port = 3306 keep state
>> group 300
>> @58 pass in quick proto udp from 10.0.0.0/8 to any port 33433 >< 33535 keep
>> state group 300
>> @59 pass in quick proto tcp/udp from 10.11.0.0/16 to any port = 8880 keep
state
>> group 300
>> @34 block in log quick from any to any
>> ::::::::::::::::::::::::::::::::
>Hi,
>It's early so I probably should't be replying to this but....
>I am a newbie to Monowll, but not to firewalls, and more expressly freebsd
>firewalls, were these connections you see established from within the network?
>Or are the connections coming in on their own?

the connections were established from inside the WLAN / OLSR-network. that is
NOT the LAN network. then they magically seem to pass the firewall.

>What happens if you move the last rule 34 up to the top of the list?

i'm afraid i can't do that, because it's the default blocking rule.

and Chris Buechler said:
>> definitely NOT allowed in my list. thus they normally should be blocked by
the
>> default blocking rule of the WLAN interface. but they pass through, as i can
>> see in the output of iptraf on the linksys. the ports that were passed the
last
>> time were different ones between 62000 and 63000.
>They're ephemeral ports, most likely source ports is what you're
>seeing, and it has to be allowed by the state table if it isn't
>allowed explicitly in your rules.

those where not the source ports but the destination ports. that means they
followed the ip adress of the (internet) location where the local network node
had its connection to.

i upgraded yesterday to m0n0 1.2 and hope to find some more info in the (very
cool indeed) fw state table.

thanks 4 your help til now.

mathias berek

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.