[ previous ] [ next ] [ threads ]
 
 From:  phreaker <mailrelay at phreaker dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Problems with DMZ outgoing connection
 Date:  Wed, 06 Sep 2006 18:26:02 +0200
I have set up a monowall machine with 3 interfaces, WAN,LAN and DMZ as 
per the monowall FAQ. I have one computer connected with a TP crossover 
cable to the monowall's DMZ interface.
It works to ping and to connect TO the DMZ'ed machine, but from that 
machine I cant get any ping or connection to the outside, I cant even 
ping the DMZ interface!
The DMZ'ed machine uses FreeBSD with resolv set to my ISP's dns (as all 
my computers) and defaultrouter set to the DMZ interface...
***************My config is below:****************

m0n0wall: status
*Sat Aug 12 01:48:16 CEST 2006*

*Note: make sure to remove any sensitive information (passwords, maybe 
also IP addresses) before posting information from this page in public 
places (like mailing lists)!*
Passwords in config.xml have been automatically removed.

This status page includes the following information:

    * *System uptime <https://192.168.0.1/status.php#System%20uptime>*
    * *Interfaces <https://192.168.0.1/status.php#Interfaces>*
    * *Routing tables <https://192.168.0.1/status.php#Routing%20tables>*
    * *ipfw show <https://192.168.0.1/status.php#ipfw%20show>*
    * *ipnat -lv <https://192.168.0.1/status.php#ipnat%20-lv>*
    * *ipfstat -v <https://192.168.0.1/status.php#ipfstat%20-v>*
    * *ipfstat -nio <https://192.168.0.1/status.php#ipfstat%20-nio>*
    * *unparsed ipnat rules
      <https://192.168.0.1/status.php#unparsed%20ipnat%20rules>*
    * *unparsed ipfilter rules
      <https://192.168.0.1/status.php#unparsed%20ipfilter%20rules>*
    * *unparsed ipfw rules
      <https://192.168.0.1/status.php#unparsed%20ipfw%20rules>*
    * *resolv.conf <https://192.168.0.1/status.php#resolv.conf>*
    * *Processes <https://192.168.0.1/status.php#Processes>*
    * *dhcpd.conf <https://192.168.0.1/status.php#dhcpd.conf>*
    * *ez-ipupdate.cache
      <https://192.168.0.1/status.php#ez-ipupdate.cache>*
    * *df <https://192.168.0.1/status.php#df>*
    * *racoon.conf <https://192.168.0.1/status.php#racoon.conf>*
    * *SPD <https://192.168.0.1/status.php#SPD>*
    * *SAD <https://192.168.0.1/status.php#SAD>*
    * *last 200 system log entries
      <https://192.168.0.1/status.php#last%20200%20system%20log%20entries>*
    * *last 50 filter log entries
      <https://192.168.0.1/status.php#last%2050%20filter%20log%20entries>*
    * *ls /conf <https://192.168.0.1/status.php#ls%20/conf>*
    * *ls /var/run <https://192.168.0.1/status.php#ls%20/var/run>*
    * *config.xml <https://192.168.0.1/status.php#config.xml>*

System uptime

 1:48AM  up 2 days, 11:10, 0 users, load averages: 0.04, 0.03, 0.01

Interfaces

fxp0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
	options=40<POLLING>
	inet *.#.136.89 netmask 0xffffffc0 broadcast *.#.136.127
	ether 00:50:8b:0f:13:83
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=1<RXCSUM>
	inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
	ether 00:10:5a:9e:8e:e3
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=40<POLLING>
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
	ether 00:10:b5:4a:00:08
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet 127.0.0.1 netmask 0xff000000

Routing tables

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            #.#.136.65      UGSc        3  2533319   fxp0
*.#.136.64/26   link#1             UC          1        0   fxp0
*.#.136.65      00:d0:52:0b:53:55  UHLW        3        0   fxp0    862
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.0          link#2             UC          2        0    xl0
192.168.0.6        00:02:a5:30:54:74  UHLW        0    94698    xl0    676
192.168.0.8        00:d0:59:17:71:15  UHLW        2     1177    xl0    789
192.168.1          link#3             UC          1        0    rl0
192.168.1.2        link#3             UHLW        0        1    rl0

ipfw show

ipfw: getsockopt(IP_FW_GET): Protocol not available

nparsed ipnat rules

map fxp0 192.168.0.0/24  -> 0/32 proxy port ftp ftp/tcp
map fxp0 192.168.0.0/24  -> 0/32 portmap tcp/udp auto
map fxp0 192.168.0.0/24  -> 0/32
map fxp0 192.168.1.0/24  -> 0/32 proxy port ftp ftp/tcp
map fxp0 192.168.1.0/24  -> 0/32 portmap tcp/udp auto
map fxp0 192.168.1.0/24  -> 0/32
      

unparsed ipfilter rules

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on xl0 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on xl0 proto udp from any port = 68 to 192.168.0.1 port = 67
pass out quick on xl0 proto udp from 192.168.0.1 port = 67 to any port = 68

# WAN spoof check
block in log quick on fxp0 from 192.168.0.0/24 to any
block in log quick on fxp0 from 192.168.1.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on fxp0 proto udp from any port = 68 to any port = 67
block in log quick on fxp0 proto udp from any port = 67 to 192.168.0.0/24 port = 68
pass in quick on fxp0 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on xl0 from ! 192.168.0.0/24 to any
block in log quick on rl0 from ! 192.168.1.0/24 to any

# block anything from private networks on WAN interface
block in log quick on fxp0 from 10.0.0.0/8 to any
block in log quick on fxp0 from 127.0.0.0/8 to any
block in log quick on fxp0 from 172.16.0.0/12 to any
block in log quick on fxp0 from 192.168.0.0/16 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on xl0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on xl0 all keep state 

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on fxp0 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp0 all keep state 
		
#---------------------------------------------------------------------------
# group head 300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on rl0 all head 300

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on rl0 all keep state 

# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.0.0/24 to 192.168.0.1 keep state group 100

# User-defined rules follow
pass in quick proto tcp from any to any keep state group 300 
pass in quick from 192.168.0.0/24 to any keep state group 100 
	
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all
      

unparsed ipfw rules

add 50000 set 4 pass all from 192.168.0.1 to any
add 50001 set 4 pass all from any to 192.168.0.1
      

resolv.conf

domain test.no-ip.org
nameserver 195.54.122.200
nameserver 195.54.122.204

dhcpd.conf

cat: /var/etc/dhcpd.conf: No such file or directory

ez-ipupdate.cache

cat: /conf/ez-ipupdate.cache: No such file or directory

df

Filesystem 512-blocks  Used Avail Capacity  Mounted on
/dev/md0c       21758 20122  1636    92%    /
procfs              8     8     0   100%    /proc
/dev/ad2a       13822 11118  2704    80%    /cf

racoon.conf

cat: /var/etc/racoon.conf: No such file or directory

SPD

No SPD entries.

SAD

No SAD entries.


config.xml

<?xml version="1.0"?>
<m0n0wall>
    <version>1.6</version>
    <lastchange>1155313031</lastchange>
    <system>
        <hostname>#</hostname>
        <domain>#no-ip.org</domain>
        <dnsallowoverride/>
        <username>#</username>
        <password>xxxxx</password>
        <timezone>Europe/#</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>ntp.#.#</timeservers>
        <webgui>
            <protocol>https</protocol>
            <port/>
        </webgui>
        <dnsserver>195.54.122.200</dnsserver>
        <dnsserver>195.54.122.204</dnsserver>
    </system>
    <interfaces>
        <lan>
            <if>xl0</if>
            <ipaddr>192.168.0.1</ipaddr>
            <subnet>24</subnet>
            <media/>
            <mediaopt/>
        </lan>
        <wan>
            <if>fxp0</if>
            <mtu/>
            <blockpriv/>
            <media/>
            <mediaopt/>
            <ipaddr>#.#.136.89</ipaddr>
            <subnet>26</subnet>
            <gateway>#.#.136.65</gateway>
            <spoofmac/>
        </wan>
        <opt1>
            <if>rl0</if>
            <descr>DMZ</descr>
            <ipaddr>192.168.1.1</ipaddr>
            <subnet>24</subnet>
            <bridge/>
            <enable/>
        </opt1>
    </interfaces>
    <staticroutes/>
    <pppoe/>
    <pptp/>
    <bigpond/>
    <dyndns>
        <type>dyndns</type>
        <username/>
        <password/>
        <host/>
        <mx/>
        <server/>
        <port/>
    </dyndns>
    <dnsupdate/>
    <dhcpd>
        <lan>
            <range>
                <from>192.168.1.100</from>
                <to>192.168.1.199</to>
            </range>
        </lan>
    </dhcpd>
    <pptpd>
        <mode/>
        <redir/>
        <localip/>
        <remoteip/>
    </pptpd>
    <dnsmasq>
        <enable/>
    </dnsmasq>
    <snmpd>
        <syslocation/>
        <syscontact/>
        <rocommunity>public</rocommunity>
    </snmpd>
    <diag>
        <ipv6nat>
            <ipaddr/>
        </ipv6nat>
    </diag>
    <bridge/>
    <syslog/>
    <nat/>
    <filter>
        <rule>
            <type>pass</type>
            <interface>opt1</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <descr/>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>Default LAN -&gt; any</descr>
        </rule>
    </filter>
    <shaper/>
    <ipsec/>
    <aliases/>
    <proxyarp/>
    <wol/>
</m0n0wall>