[ previous ] [ next ] [ threads ]
 
 From:  Ian Evans <ian at techne dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Firewall problems with 1.22/1.23
 Date:  Wed, 14 Mar 2007 18:13:07 -0700 
I'm really stumped about why the firewall (suddenly) is blocking some  
outgoing traffic from my LAN to the net.

I have a single rule for my LAN, the m0n0wall default, which allows  
all outgoing traffic. Despite this, I still am getting block messages  
in my log like this:
18:03:07.127137 sis0 @0:21 b 192.168.0.9,50005 -> 206.80.4.40,80 PR  
tcp len 20 40 -AF IN

The site, www.salon.com (206.80.4.40), is one I've been to many times  
before, but is being blocked by ipf now for some reason.

Here's the output of ipfstat -ni (via exec.php):
$ ipfstat -ni
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on sis0 proto udp from any port = 68 to  
255.255.255.255/32 port = 67
@5 pass in quick on sis0 proto udp from any port = 68 to  
192.168.0.1/32 port = 67
@6 block in log quick on ng0 from 192.168.0.0/24 to any
@7 block in log quick on ng0 proto udp from any port = 67 to  
192.168.0.0/24 port = 68
@8 pass in quick on ng0 proto udp from any port = 67 to any port = 68
@9 block in log quick on sis0 from !192.168.0.0/24 to any
@10 block in log quick on ng0 from 10.0.0.0/8 to any
@11 block in log quick on ng0 from 127.0.0.0/8 to any
@12 block in log quick on ng0 from 172.16.0.0/12 to any
@13 block in log quick on ng0 from 192.168.0.0/16 to any
@14 pass in quick on ng0 proto udp from any to 67.102.65.158/32 port  
= 500
@15 pass in quick on ng0 proto esp from any to 67.102.65.158/32
@16 pass in quick on ng0 proto ah from any to 67.102.65.158/32
@17 pass in quick on sis0 proto udp from any to 192.168.0.1/32 port =  
500
@18 pass in quick on sis0 proto esp from any to 192.168.0.1/32
@19 pass in quick on sis0 proto ah from any to 192.168.0.1/32
@20 skip 1 in proto tcp from any to any flags S/FSRA
@21 block in log quick proto tcp from any to any
@22 block in log quick on sis0 from any to any head 100
@1 pass in quick from 192.168.0.0/24 to 192.168.0.1/32 keep state  
group 100
@2 pass in quick from 192.168.0.0/24 to any keep state keep frags  
group 100
@23 block in log quick on ng0 from any to any head 200
@1 pass in quick proto gre from any to 67.102.65.158/32 keep state  
group 200
@2 pass in quick proto tcp from any to 67.102.65.158/32 port = 1723  
keep state group 200
@3 pass in quick proto udp from 192.18.32.139/32 to any keep state  
keep frags group 200
@4 pass in quick proto tcp from any to 192.168.0.4/32 port = 80 keep  
state keep frags group 200
@5 pass in quick proto tcp from any to 192.168.0.3/32 port = 25 keep  
state group 200
@6 pass in quick proto tcp from any to 192.168.0.3/32 port = 993 keep  
state group 200
@7 pass in quick proto tcp from any to 192.168.0.3/32 port = 465 keep  
state group 200
@8 pass in quick proto tcp from any to 192.168.0.4/32 port = 443 keep  
state group 200
@9 pass in quick proto tcp from any to 192.168.0.4/32 port = 22 keep  
state group 200
@10 pass in quick proto udp from any to 192.168.0.2/32 port 5059 ><  
5062 keep state group 200
@11 pass in quick proto udp from any to 192.168.0.2/32 port = 53 keep  
state group 200
@12 pass in quick proto tcp from any to 192.168.0.2/32 port = 69 keep  
state group 200
@13 pass in quick proto udp from any to 192.168.0.2/32 port 9999 ><  
20001 keep state group 200
@24 block in log quick from any to any

The maddening thing is that everything's been fine for years with my  
m0n0wall setup. I haven't changed any configuration. The only thing  
that's changed recently is my DSL line was upgraded to 6Mb, but with  
no change in IP address or gateway or anything.

What am I missing here?

-ian
-- 
ian at techne dot net
You couldn't grok my racecar but you dug the roadside blur
You weren't into my airplane but you loved the whirling world