[ previous ] [ next ] [ threads ]
 From:  "guy fernando" <guyfernando at hotmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Blocked packets from non-NATed DMZ servers
 Date:  Fri, 06 Jan 2006 14:02:00 +0000
I already have a home built linux filtered bridge firewall which has been 
working for about 6 years now. After reading and looking into m0n0wall, I 
was hoping to configure a m0n0wall firewall as a drop in replacement for the 
old linux box.

As you all now installing m0n0wall is a breeze and the web interface is very 
slick, functionality is rich considering the whole application and OS fits 
on less than 8Mb. Congratulations to Manuel and associates for creating such 
a great product and its free!

First I naively configured m0n0wall as a bridged firewall, and contrary to 
the m0n0wall documentation, arrogantly presumed I could make the LAN reach 
the DMZ especially after reading in one mailing-list that someone had 
successfully setup a filtered bridge with LAN to DMZ access. After lots of 
tinkering about, I had no such luck. Bruce Mah a guru in this field, very 
kindly verified that this is not possible with the current version of 
m0n0wall (v1.2) and explained why filtering bridge and NAT do not 100% 
cooperate together. (By the way if anyone has managed to get bridging 
working with LAN reaching DMZ please please let me know.)

So now I am going along with following scenario with m0n0wall (v1.21). My 
ISP has allocated me with the following block of IP addresses x.y.254.64/28, 
which I have divided into two isolated subnets. Not ideal, as I am 
effectively losing 4 IP addresses x.y.254.67 - 70, as they are not protected 
behind the firewall. But I can live with this scenario.

x.y.254.74/29  |
+---------+   |
| server1 +---|      DMZ         WAN
+---------+   | x.y.254.73/29  x.y.254.66/29
               |    fxp2+----------+fxp0      +----------+
x.y.254.78/29  |--------+ m0n0wall +----------+DSL modem +--->Internet
+---------+   |        +----------+          +----------+
| server2 +---|             |fxp1      x.y.254.65/28
+---------+   |             |LAN
               |             |

m0n0wall settings:

Proxy ARP
  Interface    Network
  WAN          x.y.254.64/28

LAN Rules
    Proto  Source  Port  Destination  Port
  ^ *      LAN net *     *            *

WAN Rules
    Proto  Source  Port  Destination  Port
  ^ ICMP   *       *     *            *
  ^ TCP    *       *     x.y.254.78   25 (SMTP)
  ^ TCP    *       *     x.y.254.74   80 (HTTP)

DMZ Rules
    Proto  Source  Port  Destination  Port
  X *      *       *     LAN net      *
  ^ *      DMZ net *     !LAN net     *

I can reach my servers and the Internet from the NATed LAN without problems. 
The servers can reach the Internet without problems. Everything I want is 
working except, any host outside on the Internet cannot reach my servers, 
although strangely, they can ping the servers. I have tracked the problem 
down to a built in m0n0wall firewall, namely rule @17 which is blocking any 
outbound responses from my servers which are destined back out to the host 
on the Internet.

Firewall Log:

19:45:59.175790 fxp2 @0:17 b x.y.254.74,80 -> a.b.c.d,44059 PR tcp len 20 64 

I have seen other mailing-lists threads mention having the similar issues 
with packets getting occasionally dropped, but the packets are continously 
being dropped, and not due to session timeouts either.

My questions are:

1) Why should these packets being continuously dropped?
2) Is it possibly the servers are replying with "out of sync" packets?
3) Is there a compatibility problem with Windows web and mail servers, or is 
there some Windows setting that I need to change?
4) Has it anything to do with my servers not being NATed?

Do any m0n0wall experts out there have any idea what's going wrong?
I can send sections of my config if more information is required.

Many thanks