[ previous ] [ next ] [ threads ]
 
 From:  Alberto Boiti <alberto at omniacom dot it>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  accessing LAN and Internet from OPT1 - problem
 Date:  Fri, 27 Jan 2006 09:22:28 +0100 
Hi all,
I don't understand why all packets from the OPT1 interface are blocked
by rule "@14 block in log quick on sis0 from any to any" while I have
more permissive rules that, in my mind are supposed to let all packets
flow unfiltered anywhere :)

I have a static route to reach the remote LAN attached to OPT1 and I can
ping all the PCs there.

Can anyone help me?

TIA
Alberto


Destination Gateway Flags Refs Use Netif Expire
192.168.0 192.168.3.1 UGSc 0 3 sis0


The log shows these rows or others similar:

08:44:41.242500 sis0 @0:14 b 192.168.0.111,1046 -> 217.146.65.7,53 PR
udp len 20 68 IN
08:44:41.241870 sis0 @0:14 b 192.168.0.111,1046 -> 212.34.224.132,53 PR
udp len 20 68 IN



The configuration of my net is:

86.xx.xx.200 ISP
|
|
M0n0wall --- 192.168.1.1 ---> LAN
|
|
192.168.3.2 OPT1
|
192.168.3.1
|
HDSL router
|
|
HDSL link
|
|
HDSL router
|
192.168.0.1 ---> remote LAN

All the rules defined are:

@1 pass out quick on lo0 from any to any
@2 pass out quick on sis1 proto udp from 192.168.1.1/32 port = 67 to any
port = 68
@3 pass out quick on sis2 proto udp from any port = 68 to any port = 67
@4 pass out quick on sis2 proto udp from 82.xx.xx.1/32 port = 500 to any
@5 pass out quick on sis2 proto esp from 82. xx.xx.1/32 to any
@6 pass out quick on sis2 proto ah from 82. xx.xx.1/32 to any
@7 pass out quick on sis1 proto udp from 192.168.1.1/32 port = 500 to any
@8 pass out quick on sis1 proto esp from 192.168.1.1/32 to any
@9 pass out quick on sis1 proto ah from 192.168.1.1/32 to any
@10 pass out quick on sis0 proto udp from 192.168.3.2/32 port = 500 to any
@11 pass out quick on sis0 proto esp from 192.168.3.2/32 to any
@12 pass out quick on sis0 proto ah from 192.168.3.2/32 to any
@13 pass out quick on sis1 from any to any keep state
@14 pass out quick on sis2 from any to any keep state
@15 pass out quick on sis0 from any to any keep state
@16 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on sis1 proto udp from any port = 68 to
255.255.255.255/32 port = 67
@5 pass in quick on sis1 proto udp from any port = 68 to 192.168.1.1/32
port = 67
@6 block in log quick on sis2 from 192.168.1.0/24 to any
@7 block in log quick on sis2 from 192.168.3.0/24 to any
@8 block in log quick on sis2 proto udp from any port = 67 to
192.168.1.0/24 port = 68
@9 pass in quick on sis2 proto udp from any port = 67 to any port = 68
@10 skip 2 in on sis1 from 192.168.0.0/24 to any
@11 skip 1 in on sis1 from 192.168.1.0/24 to any
@12 block in log quick on sis1 from any to any
@13 skip 1 in on sis0 from 192.168.3.0/24 to any
@14 block in log quick on sis0 from any to any
@15 pass in quick on sis2 proto udp from any to 82.yy.yy.1/32 port = 500
@16 pass in quick on sis2 proto esp from any to 82.yy.yy.1/32
@17 pass in quick on sis2 proto ah from any to 82.yy.yy.1/32
@18 pass in quick on sis1 proto udp from any to 192.168.1.1/32 port = 500
@19 pass in quick on sis1 proto esp from any to 192.168.1.1/32
@20 pass in quick on sis1 proto ah from any to 192.168.1.1/32
@21 pass in quick on sis0 proto udp from any to 192.168.3.2/32 port = 500
@22 pass in quick on sis0 proto esp from any to 192.168.3.2/32
@23 pass in quick on sis0 proto ah from any to 192.168.3.2/32
@24 skip 1 in proto tcp from any to any flags S/FSRA
@25 block in log quick proto tcp from any to any
@26 block in log quick on sis1 from any to any head 100
@1 pass in quick from 192.168.1.0/24 to 192.168.1.1/32 keep state group 100
@2 pass in quick proto icmp from any to any keep state group 100
@3 pass in quick proto tcp from 192.168.1.0/24 to any port = 21 keep
state group 100
@4 pass in quick proto tcp from 192.168.1.0/24 to any port = 80 keep
state group 100
@5 pass in quick proto tcp from 192.168.1.0/24 to any port = 110 keep
state group 100
@6 pass in quick proto tcp from 192.168.1.0/24 to any port = 143 keep
state group 100
@7 pass in quick proto tcp from 192.168.1.0/24 to any port = 443 keep
state group 100
@27 block in log quick on sis2 from any to any head 200
@1 pass in quick proto tcp from any to 192.168.1.1/32 port = 443 keep
state group 200
@2 pass in quick proto icmp from any to any keep state group 200
@3 pass in quick proto tcp from any to 192.168.1.xxx/32 port = 23 keep
state group 200
@4 pass in quick proto tcp from any to 192.168.1.xxx/32 port = 21 keep
state group 200
@5 pass in quick proto udp from any to any port = 53 keep state group 200
@6 pass in quick proto tcp from any to 192.168.1.xxx/32 port = 5900 keep
state group 200
@7 pass in quick proto tcp from any to 192.168.0.xxx/32 port = 5900 keep
state group 200
@8 pass in quick proto tcp from any to 192.168.0.xxx/32 port = 5900 keep
state group 200
@28 block in log quick on sis0 from any to any head 300
@1 pass in quick proto udp from 192.168.0.0/24 to any keep state group 300
@2 pass in quick proto tcp from 192.168.0.0/24 to any keep state group 300
@3 pass in quick proto icmp from 192.168.0.0/24 to any keep state group 300
@4 pass in quick proto udp from 192.168.3.0/24 to any keep state group 300
@5 pass in quick proto tcp from 192.168.3.0/24 to any keep state group 300
@6 pass in quick proto icmp from 192.168.3.0/24 to any keep state group 300
@29 block in log quick from any to any