[ previous ] [ next ] [ threads ]
 
 From:  "Adam Nellemann" <adam at nellemann dot nu>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Negated rules?
 Date:  Fri, 6 Feb 2004 03:06:35 +0100
Hi,

I might have misunderstood something, but I can't see why I'm having
problems with the following:

- Alias "IntraNet" defined for subnet 192.168.32.0/23

- NAT outgoing from 192.168.32.0/24 to * (Advanced NAT enabled!)

- Rule on OPT1 (WLAN) to pass source=IntraNet, dest=IntraNet

- Rule on OPT1 (WLAN) to pass source=IntraNet, dest=!IntraNet

The reason for the two "complement" rules are so I can disable WAN
access simply by disabling the latter rule.

However, it seems that (at least some) packets are blocked on the OPT1
interface, unless I replace the latter rule with one where dest=any?

Here's an example from my syslog (linebreaks to improve readability, IPs
x'ed out for privacy):

2004-02-06 02:11:54 Local0.Warning firewall Feb  6 02:11:55
ipmon[66]: 02:11:54.496414 wi0 @0:19 b
192.168.32.128,4762 -> x.x.x.x,4121
PR tcp len 20 40 -AF IN

(Notice the "wi0", which is the Wireless adaptor on OPT1!)

Am I misunderstanding something (such as how the "not" checkbox works)
or is this a bug? After all x and !x should be the same as "any",
shouldn't it?

Or should I have a specific rule on the WAN interface to passe these
packets as well? (I assumed only the rules for the interface on which
the packet arrives are checked, at least this seem to be how m0n0wall
normally operates?)

It is not a big issue, as I can use the abovementioned workaround, but I
would like to learn more about how the rules and NAT work, so if anyone
knows why I see this behaviour..?


Regards,

Adam.

P.S. Can anyone confirm or deny what's said in the "Traffic shaping:
Queues not working for me!" post? (I've implemented an elaborate traffic
shaping scheme, which is hard to test directly. I would like to know if
this has all been in vain?)