I have set up a monowall machine with 3 interfaces, WAN,LAN and DMZ as
per the monowall FAQ. I have one computer connected with a TP crossover
cable to the monowall's DMZ interface.
It works to ping and to connect TO the DMZ'ed machine, but from that
machine I cant get any ping or connection to the outside, I cant even
ping the DMZ interface!
The DMZ'ed machine uses FreeBSD with resolv set to my ISP's dns (as all
my computers) and defaultrouter set to the DMZ interface...
***************My config is below:****************
m0n0wall: status
*Sat Aug 12 01:48:16 CEST 2006*
*Note: make sure to remove any sensitive information (passwords, maybe
also IP addresses) before posting information from this page in public
places (like mailing lists)!*
Passwords in config.xml have been automatically removed.
This status page includes the following information:
* *System uptime <https://192.168.0.1/status.php#System%20uptime>*
* *Interfaces <https://192.168.0.1/status.php#Interfaces>*
* *Routing tables <https://192.168.0.1/status.php#Routing%20tables>*
* *ipfw show <https://192.168.0.1/status.php#ipfw%20show>*
* *ipnat -lv <https://192.168.0.1/status.php#ipnat%20-lv>*
* *ipfstat -v <https://192.168.0.1/status.php#ipfstat%20-v>*
* *ipfstat -nio <https://192.168.0.1/status.php#ipfstat%20-nio>*
* *unparsed ipnat rules
<https://192.168.0.1/status.php#unparsed%20ipnat%20rules>*
* *unparsed ipfilter rules
<https://192.168.0.1/status.php#unparsed%20ipfilter%20rules>*
* *unparsed ipfw rules
<https://192.168.0.1/status.php#unparsed%20ipfw%20rules>*
* *resolv.conf <https://192.168.0.1/status.php#resolv.conf>*
* *Processes <https://192.168.0.1/status.php#Processes>*
* *dhcpd.conf <https://192.168.0.1/status.php#dhcpd.conf>*
* *ez-ipupdate.cache
<https://192.168.0.1/status.php#ez-ipupdate.cache>*
* *df <https://192.168.0.1/status.php#df>*
* *racoon.conf <https://192.168.0.1/status.php#racoon.conf>*
* *SPD <https://192.168.0.1/status.php#SPD>*
* *SAD <https://192.168.0.1/status.php#SAD>*
* *last 200 system log entries
<https://192.168.0.1/status.php#last%20200%20system%20log%20entries>*
* *last 50 filter log entries
<https://192.168.0.1/status.php#last%2050%20filter%20log%20entries>*
* *ls /conf <https://192.168.0.1/status.php#ls%20/conf>*
* *ls /var/run <https://192.168.0.1/status.php#ls%20/var/run>*
* *config.xml <https://192.168.0.1/status.php#config.xml>*
System uptime
1:48AM up 2 days, 11:10, 0 users, load averages: 0.04, 0.03, 0.01
Interfaces
fxp0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
options=40<POLLING>
inet *.#.136.89 netmask 0xffffffc0 broadcast *.#.136.127
ether 00:50:8b:0f:13:83
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1<RXCSUM>
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:10:5a:9e:8e:e3
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=40<POLLING>
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:10:b5:4a:00:08
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
Routing tables
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default #.#.136.65 UGSc 3 2533319 fxp0
*.#.136.64/26 link#1 UC 1 0 fxp0
*.#.136.65 00:d0:52:0b:53:55 UHLW 3 0 fxp0 862
127.0.0.1 127.0.0.1 UH 0 0 lo0
192.168.0 link#2 UC 2 0 xl0
192.168.0.6 00:02:a5:30:54:74 UHLW 0 94698 xl0 676
192.168.0.8 00:d0:59:17:71:15 UHLW 2 1177 xl0 789
192.168.1 link#3 UC 1 0 rl0
192.168.1.2 link#3 UHLW 0 1 rl0
ipfw show
ipfw: getsockopt(IP_FW_GET): Protocol not available
nparsed ipnat rules
map fxp0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map fxp0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map fxp0 192.168.0.0/24 -> 0/32
map fxp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map fxp0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map fxp0 192.168.1.0/24 -> 0/32
unparsed ipfilter rules
# loopback
pass in quick on lo0 all
pass out quick on lo0 all
# block short packets
block in log quick all with short
# block IP options
block in log quick all with ipopts
# allow access to DHCP server on LAN
pass in quick on xl0 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on xl0 proto udp from any port = 68 to 192.168.0.1 port = 67
pass out quick on xl0 proto udp from 192.168.0.1 port = 67 to any port = 68
# WAN spoof check
block in log quick on fxp0 from 192.168.0.0/24 to any
block in log quick on fxp0 from 192.168.1.0/24 to any
# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on fxp0 proto udp from any port = 68 to any port = 67
block in log quick on fxp0 proto udp from any port = 67 to 192.168.0.0/24 port = 68
pass in quick on fxp0 proto udp from any port = 67 to any port = 68
# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on xl0 from ! 192.168.0.0/24 to any
block in log quick on rl0 from ! 192.168.1.0/24 to any
# block anything from private networks on WAN interface
block in log quick on fxp0 from 10.0.0.0/8 to any
block in log quick on fxp0 from 127.0.0.0/8 to any
block in log quick on fxp0 from 172.16.0.0/12 to any
block in log quick on fxp0 from 192.168.0.0/16 to any
# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all
#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on xl0 all head 100
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on xl0 all keep state
#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on fxp0 all head 200
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp0 all keep state
#---------------------------------------------------------------------------
# group head 300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on rl0 all head 300
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on rl0 all keep state
# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.0.0/24 to 192.168.0.1 keep state group 100
# User-defined rules follow
pass in quick proto tcp from any to any keep state group 300
pass in quick from 192.168.0.0/24 to any keep state group 100
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all
unparsed ipfw rules
add 50000 set 4 pass all from 192.168.0.1 to any
add 50001 set 4 pass all from any to 192.168.0.1
resolv.conf
domain test.no-ip.org
nameserver 195.54.122.200
nameserver 195.54.122.204
dhcpd.conf
cat: /var/etc/dhcpd.conf: No such file or directory
ez-ipupdate.cache
cat: /conf/ez-ipupdate.cache: No such file or directory
df
Filesystem 512-blocks Used Avail Capacity Mounted on
/dev/md0c 21758 20122 1636 92% /
procfs 8 8 0 100% /proc
/dev/ad2a 13822 11118 2704 80% /cf
racoon.conf
cat: /var/etc/racoon.conf: No such file or directory
SPD
No SPD entries.
SAD
No SAD entries.
config.xml
<?xml version="1.0"?>
<m0n0wall>
<version>1.6</version>
<lastchange>1155313031</lastchange>
<system>
<hostname>#</hostname>
<domain>#no-ip.org</domain>
<dnsallowoverride/>
<username>#</username>
<password>xxxxx</password>
<timezone>Europe/#</timezone>
<time-update-interval>300</time-update-interval>
<timeservers>ntp.#.#</timeservers>
<webgui>
<protocol>https</protocol>
<port/>
</webgui>
<dnsserver>195.54.122.200</dnsserver>
<dnsserver>195.54.122.204</dnsserver>
</system>
<interfaces>
<lan>
<if>xl0</if>
<ipaddr>192.168.0.1</ipaddr>
<subnet>24</subnet>
<media/>
<mediaopt/>
</lan>
<wan>
<if>fxp0</if>
<mtu/>
<blockpriv/>
<media/>
<mediaopt/>
<ipaddr>#.#.136.89</ipaddr>
<subnet>26</subnet>
<gateway>#.#.136.65</gateway>
<spoofmac/>
</wan>
<opt1>
<if>rl0</if>
<descr>DMZ</descr>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<bridge/>
<enable/>
</opt1>
</interfaces>
<staticroutes/>
<pppoe/>
<pptp/>
<bigpond/>
<dyndns>
<type>dyndns</type>
<username/>
<password/>
<host/>
<mx/>
<server/>
<port/>
</dyndns>
<dnsupdate/>
<dhcpd>
<lan>
<range>
<from>192.168.1.100</from>
<to>192.168.1.199</to>
</range>
</lan>
</dhcpd>
<pptpd>
<mode/>
<redir/>
<localip/>
<remoteip/>
</pptpd>
<dnsmasq>
<enable/>
</dnsmasq>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<diag>
<ipv6nat>
<ipaddr/>
</ipv6nat>
</diag>
<bridge/>
<syslog/>
<nat/>
<filter>
<rule>
<type>pass</type>
<interface>opt1</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<descr/>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
<descr>Default LAN -> any</descr>
</rule>
</filter>
<shaper/>
<ipsec/>
<aliases/>
<proxyarp/>
<wol/>
</m0n0wall> | 