|
||||||||
Hi Jérémie Tarot a écrit : > Hi, > > Jérémie Tarot a écrit : >> Hi, >> >> @ krt: "Block private networks" is not checked in WAN interface >> config, but anyway, only OPT2/3/4 are involved here isn't it ? >> >> Christopher M. Iarocci a écrit : >>> ... I do have a question though. Do you have rules in BOTH >>> directions? You only stated you have a rule coming into your network >>> but showed us no rules going out. OPT interfaces do not have default >>> rules set up, so it would be helpful to see exactly what you have set >>> up. >>> >> >> Sorry, forgot to mention this one set on OPT2(VOIP): >> >> ICMP asterisk * * * DEBUG: Ping To Any >> > > Sorry for replying to myself but I have kept on searching the source of my > problem (which have lead me to learn the basics of IPFilter thanks to links > found on ML archive and FreeBSD's man pages)... is it me or is IPF > syntax much easier to read than IPTables' one ? > > Anyway, tuning a few option in m0n0 like logging default rule & showing > raw logs... I've come to think that packets coming in on my brand new > SDSL link never get passed by the rules configured on my OPT4 interface > because they match the default block rule for the interface before: > > * Raw log messages: > > 15:08:56.910777 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 > 84 icmp echo/0 IN > 15:08:55.910679 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 > 84 icmp echo/0 IN > 15:08:54.910658 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 > 84 icmp echo/0 IN > > * Stripped, hopefuly relevant IPF config: > > @1 ... > @2 block in log quick from any to any with short > @3 block in log quick from any to any with ipopt > @4 ... > @22 skip 2 in on sis5 from 194.50.78.35/32 to any > @23 skip 1 in on sis5 from 212.103.28.96/29 to any > @24 block in log quick on sis5 from any to any > @25 skip 1 in proto tcp from any to any flags S/FSRA > @26 block in log quick proto tcp from any to any > @27 ... > @32 block in log quick on sis5 from any to any head 600 > @1 pass in log first quick from any to 192.168.3.3/32 keep state group 600 > @2 pass in log first quick from any to 192.168.1.3/32 keep state group 600 > @33 ... > @49 block in log quick from any to any > > So if I have correctly understood IPF and the way it gets configured in > m0n0wall, I should have a rule that skip @0:24, like @0:22 or @0:23, so > that "parsing" can continue up to @0:32 and ICMP packets comming in on > sis5/OPT4 opefuly get passed to my server. > > But, still with my current understanding, all rules that I could add on > OPT4 would be added to group 600... and still never get matched > Test done... even if I add any2any rules on both (int & ext) interfaces, no packets get through because the "skip rules sequence" is seems somehow broken and rules group of my VOIP/OPT4/sis5 interface never get applied to connections coming in on it: log: 12:50:25.257118 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 84 icmp echo/0 IN ipfstat -nio: @22 skip 2 in on sis5 from 194.50.78.35/32 to any @23 skip 1 in on sis5 from 212.103.28.96/29 to any @24 block in log quick on sis5 from any to any ... @32 block in log quick on sis5 from any to any head 600 @1 pass in log first quick from any to any keep state group 600 @2 pass in log first quick from any to 192.168.3.3/32 keep state group 600 @3 pass in log first quick from any to 192.168.1.3/32 keep state group 600 Folks, I'm _really_ sorry to bug you all with this issue, but I seem to be unable to solve it myself and it's a show stopper on the way of a couple of important projects. Please just tell me if I can post more accurate informations...anything ! Thank you in advance Bests Jé |