[ previous ] [ next ] [ threads ]
 
 From:  Christian Graffeuille <frachg at yahoo dot fr>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE : Re: [m0n0wall] m0n0wall and ADSL router: all traffic is blocked
 Date:  Wed, 21 Jun 2006 11:53:16 +0200 (CEST)
Wow, thanks guys, I am overwhemed! 3 replies already!!!!    :oD
Thanks for caring.

I have now learnt that ARP messages exist :o), and indeed, what gm told me makes lots of sense, so I
have set all my subnets to 24 so that the different hosts know they shouldn't try to access the MAC
addresses directly when m0n0wall is in the way.

My IP addresses are fine, Klaus, I can ping them when m0n0wall isn't there (and masks are back to
/22), and I have no other connection. No WLAN.

Mark, what more can I do open my ports than have green arrow *   *   *   *   *  for all three LAN
WAN OPT1 tabs? (I have removed this rule for WAN as it seems to be unsafe and unnecessary since MW
works out connection responses by itself). 

I am not using DHCP, all is static from the router on. NAT is on the router only. I really just want
to get MW to let everyhing pass thru atm. I'll prioritise ACK and DMZ traffic when I get
traffic.....      =:o/

So the non-working config is now

(Internet)    
   |  
   |
 (WAN: Dynamic Public IP)    
 Dynalink RTA300 ADSL router, NAT, DNS proxy, NAT, no DHCP
 (LAN: 192.168.0.1/24)
   |
   |
 (WAN: 192.168.0.2/24  GW: 192.168.0.1   ed1)
 m0n0wall 192.168.1.2 (LAN IP addy on the console), no other config
 (LAN: 192.168.1.2/24  xl0) (DMZ 192.168.2.2/24 fxp0)
    |                                                           |  
    |                                                           |
 (PCs: 192.168.1.1/24)  (DMZ: 192.168.2.35/24)
 
 Firewall rules
 green arrow *   *   *   *   *  for all three LAN WAN OPT1 tabs
 

I can still ping  from m0n0 to PC and DMZ, not to router, not from host to host.

Thanks for your insight. Christian


In case it helps, a few status tables:

Interfaces 
fxp0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
 options=40<POLLING>
 inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
 ether 00:08:c7:9c:4b:73
 media: Ethernet autoselect (10baseT/UTP)
 status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 options=1<RXCSUM>
 inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
 ether 00:10:4b:65:e0:b5
 media: Ethernet autoselect (100baseTX <full-duplex>)
 status: active
ed1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
 ether 00:00:b4:85:60:12
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
 inet 127.0.0.1 netmask 0xff000000
     Routing tables 
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.1        UGSc        0        0    ed1
127.0.0.1          127.0.0.1          UH          1    42440    lo0
192.168.0          link#3             UC          1        0    ed1
192.168.0.1        link#3             UHLW        1        0    ed1
192.168.1          link#2             UC          1        0    xl0
192.168.1.200      00:c0:a8:7b:48:1f  UHLW        1      347    xl0   1049
192.168.2          link#1             UC          0        0   fxp0
  
   ipfw show 
ipfw: getsockopt(IP_FW_GET): Protocol not available
     ipnat -lv 
List of active MAP/Redirect filters:
map ed1 192.168.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map ed1 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map ed1 192.168.1.0/24 -> 0.0.0.0/32
map ed1 192.168.2.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map ed1 192.168.2.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map ed1 192.168.2.0/24 -> 0.0.0.0/32

List of active sessions:

List of active host mappings:
  
   ipfstat -v 
opts 0x40 name /dev/ipl
 IPv6 packets:  in 0 out 0
 input packets:  blocked 57 passed 42746 nomatch 0 counted 0 short 0
output packets:  blocked 0 passed 42788 nomatch 0 counted 0 short 0
 input packets logged: blocked 57 passed 0
output packets logged: blocked 0 passed 0
 packets logged: input 0 output 0
 log failures:  input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 54 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 11 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
 none
  
   ipfstat -nio 
@1 pass out quick on lo0 from any to any
@2 pass out quick on xl0 proto udp from 192.168.1.2/32 port = 67 to any port = 68
@3 pass out quick on ed1 proto udp from any port = 68 to any port = 67
@4 pass out quick on xl0 from any to any keep state
@5 pass out quick on ed1 from any to any keep state
@6 pass out quick on fxp0 from any to any keep state
@7 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on xl0 proto udp from any port = 68 to 255.255.255.255/32 port = 67
@5 pass in quick on xl0 proto udp from any port = 68 to 192.168.1.2/32 port = 67
@6 block in log quick on ed1 from 192.168.1.0/24 to any
@7 block in log quick on ed1 from 192.168.2.0/24 to any
@8 block in log quick on ed1 proto udp from any port = 67 to 192.168.1.0/24 port = 68
@9 pass in quick on ed1 proto udp from any port = 67 to any port = 68
@10 block in log quick on xl0 from !192.168.1.0/24 to any
@11 block in log quick on fxp0 from !192.168.2.0/24 to any
@12 skip 1 in proto tcp from any to any flags S/FSRA
@13 block in log quick proto tcp from any to any
@14 block in log quick on xl0 from any to any head 100
@1 pass in quick from 192.168.1.0/24 to 192.168.1.2/32 keep state group 100
@2 pass in quick from 192.168.1.0/24 to any keep state group 100
@3 pass in quick from any to any keep state group 100
@15 block in log quick on ed1 from any to any head 200
@1 pass in quick from 192.168.1.0/24 to any keep state group 200
@16 block in log quick on fxp0 from any to any head 300
@1 pass in quick from 192.168.1.0/24 to any keep state group 300
@2 pass in quick from any to any keep state group 300
@17 block in log quick from any to any
  
   unparsed ipnat rules 
map ed1 192.168.1.0/24  -> 0/32 proxy port ftp ftp/tcp
map ed1 192.168.1.0/24  -> 0/32 portmap tcp/udp auto
map ed1 192.168.1.0/24  -> 0/32
map ed1 192.168.2.0/24  -> 0/32 proxy port ftp ftp/tcp
map ed1 192.168.2.0/24  -> 0/32 portmap tcp/udp auto
map ed1 192.168.2.0/24  -> 0/32

  
   unparsed ipfilter rules 
# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on xl0 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on xl0 proto udp from any port = 68 to 192.168.1.2 port = 67
pass out quick on xl0 proto udp from 192.168.1.2 port = 67 to any port = 68

# WAN spoof check
block in log quick on ed1 from 192.168.1.0/24 to any
block in log quick on ed1 from 192.168.2.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on ed1 proto udp from any port = 68 to any port = 67
block in log quick on ed1 proto udp from any port = 67 to 192.168.1.0/24 port = 68
pass in quick on ed1 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on xl0 from ! 192.168.1.0/24 to any
block in log quick on fxp0 from ! 192.168.2.0/24 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on xl0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on xl0 all keep state 

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on ed1 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on ed1 all keep state 
  
#---------------------------------------------------------------------------
# group head 300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on fxp0 all head 300

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp0 all keep state 

# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.1.0/24 to 192.168.1.2 keep state group 100

# User-defined rules follow
pass in quick from 192.168.1.0/24 to any keep state group 200 
pass in quick from 192.168.1.0/24 to any keep state group 300 
pass in quick from any to any keep state group 300 
pass in quick from 192.168.1.0/24 to any keep state group 100 
pass in quick from any to any keep state group 100 
 
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

  
   unparsed ipfw rules 
add 50000 set 4 pass all from 192.168.1.2 to any
add 50001 set 4 pass all from any to 192.168.1.2

  
   







 		
---------------------------------