[ previous ] [ next ] [ threads ]
 
 From:  "John Joseph Fowler" <jfowler at serck dash controls dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Firewall rules not working correctly
 Date:  Tue, 21 Mar 2006 16:53:24 -0000
Hello all,

Being a new starter to m0n0wall, but managing to have a working network at
present, I have a strange query/problem with some LAN firewall rules where
some rules work and some don't?? I'm using version 1.21.

At present, I have a m0n0wall with 2 NICs one for Lan and one for Wan. Wan
seems to behaving correctly, but Lan doesn't.

Internal LAN network is using 172.31.0.0/16 range with a default gateway of
172.31.1.1 to internet. I also have a VPN tunnel (handled via a CISCO
router) to a different site on a network range of 10.0.0.0/8, accessible by
gateway 172.31.1.2 also connected to internet. Both 172.31.0.0 and 10.0.0.0
are both located on the LAN side of the m0n0wall not WAN.
I've inserted a static route in m0n0wall for 10.0.0.0/8 using gateway
172.31.1.2 and can successfully connect/ping between the two lans over the
VPN with the settings below.

I also have had to enable "Bypass firewall rules for traffic on the same
interface" because of a problem with firewall my rules not appearing to
work, explained below.

I've currently got the following firewall rules defined in LAN below (all as
pass), and some seem to work successfully, with the understanding that if no
rule exists then its automatically blocked, and works from the top of the
list down?

<proto>--<src>--<port>--<dest>--<port>--<desc>
*Rule 1* <TCP>--<172.31.1.52>--<*>--<194.217.242.0/24>--<110 (POP3)>--<Pop3
for Mail server>
*Rule 2* <TCP>--<172.31.1.52>--<*>--<194.217.242.0/24>--<25 (SMTP)>--<SMTP
for Mail Server>
*Rule 3* <*>--<LAN net>--<*>--<10.0.0.0/8>--<*>--<Site 2 LAN access>
*Rule 4* <TCP>--<LAN net>--<*>--<*>--<21 (FTP)>--<LAN FTP Access (Port 21)>
*Rule 5* <TCP>--<LAN net>--<*>--<*>--<443 (HTTPS)>--<LAN Web Access (Port
443)>
*Rule 6* <TCP>--<LAN net>--<*>--<*>--<23 (Telnet)>--<LAN Telnet Access (Port
23)>
*Rule 7* <TCP/UDP>--<LAN net>--<*>--<*>--<80 (HTTP)>--<LAN Web Access (Port
80)>
*Rule 8* <TCP>--<10.1.45.13>--<*>--<172.31.4.1>--<443 (HTTPS)>--<Admin
Access Only>
*Rule 9* <*>--<10.1.45.13>--<*>--<172.31.1.15>--<*>--<NAS Admin Access Only>
*Rule 10* <*>--<LAN net>--<*>--<LAN net>--<*>--<Site 1 Local LAN access>
*Rule 11* <ICMP>--<LAN net>--<*>--<*>--<*>--<Lan to WAN ICMP allow>
*Rule 12* <UDP>--<LAN net>--<*>--<*>--<53 (DNS)>--<LAN to DNS Servers>

One problem i have is if i try and insert a new rule between rules 4 & 5 to
block port 443 from the source "LAN net" to dest "172.31.4.1", it doesn't
work. I can still access 172.31.4.1 via https on any machine supposed to be
blocked within the lan network, but the wierd thing is when I change rule 8
to block port 443 for 10.1.45.13 it does work with the "bypass" enabled?

Other problem I have is when I disable "bypass firewall rules" as the
traffic is going through the same NIC, pinging any 172.31.0.0/16 address
from the 10.0.0.0/8 network returns no replies, but shouldn't a reverse of
rule 3 allow this through (tried but also didn't work)??

Sorry its a bit long... just can't seem to get the rules working ok, even
with the "bypass" enabled/disabled.

Any help would be most grateful if the rules are setup incorrectly
generally, or if there is anything else needs defining within m0n0wall.

Thanks in advance.

John

**********************************************************************
Serck Controls Ltd, Rowley Drive, Coventry, CV3 4FH, UK
Tel: +44 (0) 24 7630 5050   Fax: +44 (0) 24 7630 2437
Web: www.serck-controls.com  Admin: post at serck dash controls dot co dot uk
A subsidiary of Serck Controls Pty. Ltd. Reg. in England No. 4353634
**********************************************************************
This email and files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they 
are addressed. If you have received this email in error please notify 
the above. Any views or opinions presented are those of the author 
and do not necessarily represent those of Serck Controls Ltd. 


This message has been checked by MessageLabs
******************************************************************