[ previous ] [ next ] [ threads ]
 From:  Steve Johnson <sjohnson at warpdriveonline dot com>
 To:  Lee Sharp <leesharp at hal dash pc dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] no WAN access to DMZ http
 Date:  Mon, 06 Mar 2006 20:21:50 -0700
Lee Sharp wrote:
> From: "Steve Johnson" <sjohnson at warpdriveonline dot com>
>> Steve Johnson wrote:
>>> Lee Sharp wrote:
>>>> Is your m0n0wall web interface http or https?  If http, it could be 
>>>> the antilockout rule.  Try changing m0n0wall to https and see if it 
>>>> works.
>>> Good idea, but no, that wasn't it. I switched webGUI protocol to 
>>> https and rebooted the firewall. I still get a connection timeout 
>>> from the accessing browser, and no record of the access attempt in 
>>> the log.
>> I checked with the ISP and found out that they block port 25, but 
>> nothing else. So now I'm really stumped as to why I'm not seeing http 
>> access attempts in the firewall log.
> To get in you need both a inbound NAT rule, and a firewall rule.  An 
> easy check is to flip back to http for m0n0wall and turn off the 
> inbound NAT.  If you get the m0n0wall page, you have the firewall rule 
> OK.  If not, you need to open up the firewall more.  If you do get it, 
> look at your inbound NAT rule.
>                        Lee
[ Problem summary: I can't access http server in the DMZ from WAN 
interface. From the LAN interface, it's fine. ]

I set the webGUI back to http and deleted the NAT rule. When I browse 
the WAN IP address from outside, I get the same result -- a connection 
timeout at the browser and no indication of an access attempt in the 
log. I then rewrote the one WAN rule to pass all traffic inbound to any 
http port on any interface. Still nothing and still no log entries.

Out of curiosity, I tried hitting the IP address on a variety of ports 
and protocols: ping, ssh, telnet, ftp and telnet to port 80. All were 
blocked, but at least the ping, ssh and telnet showed up in the log as 
blocked packets. http and ftp simply vanished:

Block  19:59:36.901484  WAN  216.17.nnn.nnn, port 48549  24.56.nnn.nn, 
port 22      TCP
Block  19:59:11.361441  WAN  216.17.nnn.nnn, port 8089   24.56.nnn.nn, 
port 23      TCP
Block  19:50:36.096978  WAN  216.17.nnn.nnn              24.56.nnn.nn, 
type echo/0  ICMP

More and more I'm thinking this is an ISP issue. They confirmed today 
that they routinely block SMTP port 25. I think they're blocking other 
ports as well. I will check and really make them work to confirm it. 
Does anyone else have another suggestion as to what might be happening?