[ previous ] [ next ] [ threads ]
 
 From:  Christoph Hanle <christoph dot hanle at leinpfad dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall rules not working correctly
 Date:  Tue, 21 Mar 2006 19:21:07 +0100
John Joseph Fowler schrieb:
> Hello all,
> 
> Being a new starter to m0n0wall, but managing to have a working network at
> present, I have a strange query/problem with some LAN firewall rules where
> some rules work and some don't?? I'm using version 1.21.
> 
> At present, I have a m0n0wall with 2 NICs one for Lan and one for Wan. Wan
> seems to behaving correctly, but Lan doesn't.
> 
> Internal LAN network is using 172.31.0.0/16 range with a default gateway of
> 172.31.1.1 to internet. I also have a VPN tunnel (handled via a CISCO
> router) to a different site on a network range of 10.0.0.0/8, accessible by
> gateway 172.31.1.2 also connected to internet. Both 172.31.0.0 and 10.0.0.0
> are both located on the LAN side of the m0n0wall not WAN.
> I've inserted a static route in m0n0wall for 10.0.0.0/8 using gateway
> 172.31.1.2 and can successfully connect/ping between the two lans over the
> VPN with the settings below.
> 
> I also have had to enable "Bypass firewall rules for traffic on the same
> interface" because of a problem with firewall my rules not appearing to
> work, explained below.
> 
> I've currently got the following firewall rules defined in LAN below (all as
> pass), and some seem to work successfully, with the understanding that if no
> rule exists then its automatically blocked, and works from the top of the
> list down?
> 
> <proto>--<src>--<port>--<dest>--<port>--<desc>
> *Rule 1* <TCP>--<172.31.1.52>--<*>--<194.217.242.0/24>--<110 (POP3)>--<Pop3
> for Mail server>
> *Rule 2* <TCP>--<172.31.1.52>--<*>--<194.217.242.0/24>--<25 (SMTP)>--<SMTP
> for Mail Server>
> *Rule 3* <*>--<LAN net>--<*>--<10.0.0.0/8>--<*>--<Site 2 LAN access>
> *Rule 4* <TCP>--<LAN net>--<*>--<*>--<21 (FTP)>--<LAN FTP Access (Port 21)>
> *Rule 5* <TCP>--<LAN net>--<*>--<*>--<443 (HTTPS)>--<LAN Web Access (Port
> 443)>
> *Rule 6* <TCP>--<LAN net>--<*>--<*>--<23 (Telnet)>--<LAN Telnet Access (Port
> 23)>
> *Rule 7* <TCP/UDP>--<LAN net>--<*>--<*>--<80 (HTTP)>--<LAN Web Access (Port
> 80)>
> *Rule 8* <TCP>--<10.1.45.13>--<*>--<172.31.4.1>--<443 (HTTPS)>--<Admin
> Access Only>
> *Rule 9* <*>--<10.1.45.13>--<*>--<172.31.1.15>--<*>--<NAS Admin Access Only>
> *Rule 10* <*>--<LAN net>--<*>--<LAN net>--<*>--<Site 1 Local LAN access>
> *Rule 11* <ICMP>--<LAN net>--<*>--<*>--<*>--<Lan to WAN ICMP allow>
> *Rule 12* <UDP>--<LAN net>--<*>--<*>--<53 (DNS)>--<LAN to DNS Servers>
> 
> One problem i have is if i try and insert a new rule between rules 4 & 5 to
> block port 443 from the source "LAN net" to dest "172.31.4.1", it doesn't
> work.
this traffic will not be seen by the m0n0wll, it is both in the same 
segment, you can't block it with your m0n0.
Trafficflow:
Initialise: 172.31.x.x to 172.31.4.1
Answer. 172.31.4.1 to 172.31.x.x
  I can still access 172.31.4.1 via https on any machine supposed to be
> blocked within the lan network, but the wierd thing is when I change rule 8
> to block port 443 for 10.1.45.13 it does work with the "bypass" enabled?
This traffic goes another way:
Initialise: 172.31.x.x to m0n0 to cisco to 10.1.45.13
Answer: 10.1.45.13 to 172.31.x.x8
Here you can use rules, but if on a client in 172.31.0.0/16 exists a 
route 10.0.0.0 mask 255.0.0.0 gw 172.31.1.2 the rule on the m0n0 won't work.

Your concept with the m0n0 and the cisco is not viable. You never will 
never get stable rules between 10.0.0.0/8 and 172.31.0.0/16 managed by 
the m0n0wall.

Ideas to solve the problems:
1. Use ACLs on the cisco
2. use a third interface on the m0n0 a place the cisco in OPT1
3. replace the funktion of the cisco with your m0n0


> 
> Other problem I have is when I disable "bypass firewall rules" as the
> traffic is going through the same NIC, pinging any 172.31.0.0/16 address
> from the 10.0.0.0/8 network returns no replies, but shouldn't a reverse of
> rule 3 allow this through (tried but also didn't work)??
echo request: 10.x.x.x to cisco to 172.31.x.x
echo reply. 172.31.x.x to m0n0 to cisco to 10.x.x.x
same problem with the differnt ways.

bye
Christoph

> 
> Sorry its a bit long... just can't seem to get the rules working ok, even
> with the "bypass" enabled/disabled.
> 
> Any help would be most grateful if the rules are setup incorrectly
> generally, or if there is anything else needs defining within m0n0wall.
> 
> Thanks in advance.
> 
> John
> 
> **********************************************************************
> Serck Controls Ltd, Rowley Drive, Coventry, CV3 4FH, UK
> Tel: +44 (0) 24 7630 5050   Fax: +44 (0) 24 7630 2437
> Web: www.serck-controls.com  Admin: post at serck dash controls dot co dot uk
> A subsidiary of Serck Controls Pty. Ltd. Reg. in England No. 4353634
> **********************************************************************
> This email and files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. If you have received this email in error please notify 
> the above. Any views or opinions presented are those of the author 
> and do not necessarily represent those of Serck Controls Ltd. 
> 
> 
> This message has been checked by MessageLabs
> ******************************************************************
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 


-- 
last words:
"let's make the backup tomorrow"