[ previous ] [ next ] [ threads ]
 
 From:  ryanp at hhsys dot org
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] rule allowed but being blocked part 2: full post
 Date:  Tue, 13 Dec 2005 10:48:51 -0600 (CST)
The application is IBM Tivoli backup client.  The TSM server 'pings' the
node then the node talks back and starts performing its backup.  At first
I had the rule set to 'LAN net' instead of 'Network' with physically
typing in the address. One machine [machine A] wasnt working properly. So
then I
changed it to 'Network' and typed in the addresses and the previous one
[machine A] started working but now this one [machine B] doesnt want to. 
Thats what it is confusing to me.  I see one connection in the firewall
state table but then I see a few packets getting blocked, so I'm not sure.

Even if it is a broken application, what would you suggest to get this
working? Allow all traffic bidirectional? Because even if the application
does crappy TCP, the machines still have to perform their backups and
m0n0wall isnt allowing that via the sysadmin's eyes who run the boxes.


Chris Buechler said:
> On 12/12/05, ryanp at hhsys dot org <ryanp at hhsys dot org> wrote:
>>
>>
>> These are allowed via
>>
>> TCP 10.246.9.0/24:* to 10.249.0.1:1500
>>
>> but its still being blocked, I even said allow fragmented packets. still
>> being blocked. block private network is unchecked, whats going on?
>>
>
> It's getting to rule 11:
> @11 block in log quick proto tcp from any to any
>
> so it's not in the state table, and it's not the initiation of a new
> TCP connection (that would then enter the state table for subsequent
> traffic).  Does the particular application work?  Seems like it would
> either be this:
> http://doc.m0n0.ch/handbook/faq-legit-traffic-dropped.html
> or a really broken application.
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>




-------------------------------------------------------------

Note: This email is for the sole use of the intended
recipient(s) and may contain confidential information.  Any
unauthorized review, use, disclosure or distribution is
prohibited.  Contact the sender if received in error.