[ previous ] [ next ] [ threads ]
 From:  Tim Vaughan <talltim at gmail dot com>
 To:  waa dash m0n0wall at revpol dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Firewall weirdness (was: Feature suggestion: show related rule in firewall logs)
 Date:  Sun, 22 Jan 2006 23:24:12 +0000
> Hi Tim... The feature you are requesting is already available in m0n0wall.
> Diagnostics -> Logs -> Settings - Check "Show raw filter logs"  and save
> While you are there you should also check "Log packets blocked by the
> default rule" at least for testing purposes.
> Then view the "Firewall logs" page again...
> Note that now, your firewall logs will contain a p (pass), b (block) or
> r (reject) as well as the number of the rule that matched the packet.
> Now, go to:  http://your.m0n0.wall/exec.php
> enter:   ipfstat -ion
> to locate the rule that matches your log entry.

Ok, thanks for that, it's really useful.  This is the offending entry:

23:05:41.532041 sis0 @0:13 b,80 ->,54131 PR
tcp len 20 60 -AS IN

With the corresponding rule:

@13 block in log quick proto tcp from any to any

which I'm guessing is the default rule that blocks anything that isn't
explicity passed.  The problem is that I have other Linux servers on
that network which I can access perfectly well over the VPN and the
LAN interface has the standard pass from any to any rule.

Additionally, I get the following on my work m0n0wall:

21:50:39.187349 sis0 @0:16 b,53214 ->,80 PR
tcp len 20 52 -AF IN
22:12:05.772677 sis0 @0:16 b,53330 ->,80 PR
tcp len 20 40 -AR IN


@16 block in log quick proto tcp from any to any

Which I guess is the default rule again.  I don't have block rules on
the LAN interface, so why are these packets logged as being blocked?