Re: [m0n0wall] how to allow incoming connections from WAN to LAN? (no NAT)

From:	Alain Fauconnet <alain at ait dot ac dot th>
To:	Dinesh Nair <dinesh at alphaque dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] how to allow incoming connections from WAN to LAN? (no NAT)
Date:	Thu, 24 Nov 2005 07:54:36 +0700

Dinesh,

Thanks for your reply.

On Wed, Nov 23, 2005 at 10:29:10PM +0800, Dinesh Nair wrote:
> 
> On 11/23/05 18:51 Alain Fauconnet said the following:
> >The only reference to this I've found is
> >http://doc.m0n0.ch/handbook/faq-no-nat.html.
> >I've enabled 'advanced outbound NAT' as advised, but this has made no
> >change. I'm note sure how it would anyway, since I don't use NAT
> >at all.
> 
> enabling Advanced Outbound NAT and then not adding any entries effectively 
> disables NAT on LAN->WAN packets. i know this sounds counter-intuitive, but 
> that's the way it is. :)

So why do I still have all those NAT-related entries in the status.php
output? OK, I need to study ipfw and ipnat... my culture is Linux's
iptables.

> 
> >LAN is 222.222.64.0/23
> >WAN is 222.222.64.48/30
> 
> looks like you've got a split subnet. /23 on your LAN will clash with /30 
> on your WAN.

Sorry, typo. WAN is 222.222.63.48/30 (this shows in the status.php
output anyway)
Routing is fine.

Any more input? why are the (WAN->LAN) replies to incoming
(WAN->LAN) connections rejected although I don't have a single reject
rule and I allow everything on both sides?

My guts feeling is that statefulness works only for LAN->WAN
connections by design of M0n0wall, so I need to "hack" the
configuration of the firewall my means of 'shellcmd' entries in config,
but this is just a wild guess at this point.

Greets,
_Alain_