[ previous ] [ next ] [ threads ]
 
 From:  =?UTF-8?B?SsOpcsOpbWllIFRhcm90?= <jeremie dot tarot at free dot fr>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1:1 (onetoone) NAT & filtering [SOS]
 Date:  Thu, 19 Jul 2007 14:54:09 +0200
Hi,

Jérémie Tarot a écrit :
> Hi,
> 
> @ krt: "Block private networks" is not checked in WAN interface config, 
> but anyway, only OPT2/3/4 are involved here isn't it ?
> 
> Christopher M. Iarocci a écrit :
>> ...  I do have a question though.  Do you have rules in BOTH 
>> directions?  You only stated you have a rule coming into your network 
>> but showed us no rules going out.  OPT interfaces do not have default 
>> rules set up, so it would be helpful to see exactly what you have set up.
>>
> 
> Sorry, forgot to mention this one set on OPT2(VOIP):
> 
>  ICMP       asterisk       *       *       *       DEBUG: Ping To Any
> 

Sorry for replying to myself but I have kept on searching the source of my
problem (which have lead me to learn the basics of IPFilter thanks to links
found on ML archive and FreeBSD's man pages)... is it me or is IPF syntax 
much easier to read than IPTables' one ?

Anyway, tuning a few option in m0n0 like logging default rule & showing raw logs... I've come to
think that packets coming in on my brand new SDSL link never get passed by the rules configured on
my OPT4 interface because they match the default block rule for the interface before:

 * Raw log messages:

15:08:56.910777 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 84 icmp echo/0 IN
15:08:55.910679 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 84 icmp echo/0 IN
15:08:54.910658 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 84 icmp echo/0 IN

 * Stripped, hopefuly relevant IPF config:

@1 ...
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 ...
@22 skip 2 in on sis5 from 194.50.78.35/32 to any
@23 skip 1 in on sis5 from 212.103.28.96/29 to any
@24 block in log quick on sis5 from any to any
@25 skip 1 in proto tcp from any to any flags S/FSRA
@26 block in log quick proto tcp from any to any
@27 ...
@32 block in log quick on sis5 from any to any head 600
@1 pass in log first quick from any to 192.168.3.3/32 keep state group 600
@2 pass in log first quick from any to 192.168.1.3/32 keep state group 600
@33 ...
@49 block in log quick from any to any 

So if I have correctly understood IPF and the way it gets configured in m0n0wall, I should have a
rule that skip @0:24, like @0:22 or @0:23, so that "parsing" can continue up to @0:32 and ICMP
packets comming in on sis5/OPT4 opefuly get passed to my server.

But, still with my current understanding, all rules that I could add on OPT4 would be added to group
600... and still never get matched

Any help or appreciated

Bests
Jé