[ previous ] [ next ] [ threads ]
 From:  KnightMB <knightmb at knightmb dot dyndns dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] FW: m0n0wall blocks incoming UDP 500
 Date:  Wed, 15 Mar 2006 02:21:45 -0600
To aid in this conversation, I used a port tool to test 
incoming/outgoing ports on m0n0wall PC image version 1.21

Since I can only manually test one port at a time for data input/output, 
I only did ports 500 UDP to 505 UDP and TCP for giggles.

My test showed that m0n0wall doesn't pass UDP packets on Port 500 as 
this person has stated, but it worked fine on ports 501, 502, 503, etc. 
My test did find that TCP packets would pass port 500 just fine.  I even 
tried port remapping, like m0n0wall port 500 to 501 just to see if it 
was the direct 500:500 that was having the problem and still packets are 
dropped. I checked the firewall log of m0n0wall to see if maybe those 
packets would show up there, nothing found.

I know that by default on a windows machine, you can't listen for port 
500 UDP because it's being used by the lsass.exe server process, but my 
test on both a windows workstation (with a killed lsass.exe process) and 
linux workstation show that m0n0wall will not pass port 500 UDP using 
simple NAT rules and pass rules for the firewall.  I haven't tried 
assigning a machine an external WAN address and doing the same test for 
sanity reasons.  Maybe someone can shed some light on why m0n0wall would 
discard packets coming inbound on port 500 UDP?


Polus, Tomasz wrote:
>> -----Original Message-----
>> From: Chris Buechler [mailto:cbuechler at gmail dot com] 
>> Sent: Wednesday, March 15, 2006 1:15 AM
>> Cc: m0n0wall at lists dot m0n0 dot ch
>> Subject: Re: [m0n0wall] FW: m0n0wall blocks incoming UDP 500
>> On 3/14/06, Polus, Tomasz <tomek at polvision dot com dot pl> wrote:
>>> Come on guys, I don't believe m0n0wall working as a NAT 
>> gateway cannot 
>>> pass returning UDP 500 packets....
>> Of course it can.  That's not the problem.  The problem is 
>> most likely that you don't have NAT-T enabled on the Linksys 
>> you're connecting to.
> Nope. As I stated before, Linux NAT works great in this configuration.
> After switching from Linux to m0n0wall - connection cannot be
> established.
> Me --- Linux NAT      --- INTERNET --- Linksys VPN router  = YES
> Me --- m0n0wall NAT --- INTERNET --- Linksys VPN router  = NO
>>  The process of NAT breaks IPsec unless the terminating 
>> device supports and has NAT-T enabled.  Previously, you may 
>> have had ESP forwarded to your machine, but ipfilter doesn't 
>> support anything but TCP and UDP on non-1:1 forwards.
> In other words.... Linux can do it, but FreeBSD cannot? Very
> interesting....