|
||||||||
Hi, Should I try 1.3b3 to see if it fixes this problem ? Bests JT Jérémie Tarot a écrit : > Hi > > Jérémie Tarot a écrit : >> Hi, >> >> Jérémie Tarot a écrit : >>> Hi, >>> >>> @ krt: "Block private networks" is not checked in WAN interface >>> config, but anyway, only OPT2/3/4 are involved here isn't it ? >>> >>> Christopher M. Iarocci a écrit : >>>> ... I do have a question though. Do you have rules in BOTH >>>> directions? You only stated you have a rule coming into your >>>> network but showed us no rules going out. OPT interfaces do not >>>> have default rules set up, so it would be helpful to see exactly >>>> what you have set up. >>>> >>> >>> Sorry, forgot to mention this one set on OPT2(VOIP): >>> >>> ICMP asterisk * * * DEBUG: Ping To Any >>> >> >> Sorry for replying to myself but I have kept on searching the source >> of my >> problem (which have lead me to learn the basics of IPFilter thanks to >> links >> found on ML archive and FreeBSD's man pages)... is it me or is IPF >> syntax much easier to read than IPTables' one ? >> >> Anyway, tuning a few option in m0n0 like logging default rule & >> showing raw logs... I've come to think that packets coming in on my >> brand new SDSL link never get passed by the rules configured on my >> OPT4 interface because they match the default block rule for the >> interface before: >> >> * Raw log messages: >> >> 15:08:56.910777 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 >> 84 icmp echo/0 IN >> 15:08:55.910679 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 >> 84 icmp echo/0 IN >> 15:08:54.910658 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 >> 84 icmp echo/0 IN >> >> * Stripped, hopefuly relevant IPF config: >> >> @1 ... >> @2 block in log quick from any to any with short >> @3 block in log quick from any to any with ipopt >> @4 ... >> @22 skip 2 in on sis5 from 194.50.78.35/32 to any >> @23 skip 1 in on sis5 from 212.103.28.96/29 to any >> @24 block in log quick on sis5 from any to any >> @25 skip 1 in proto tcp from any to any flags S/FSRA >> @26 block in log quick proto tcp from any to any >> @27 ... >> @32 block in log quick on sis5 from any to any head 600 >> @1 pass in log first quick from any to 192.168.3.3/32 keep state group >> 600 >> @2 pass in log first quick from any to 192.168.1.3/32 keep state group >> 600 >> @33 ... >> @49 block in log quick from any to any >> >> So if I have correctly understood IPF and the way it gets configured >> in m0n0wall, I should have a rule that skip @0:24, like @0:22 or >> @0:23, so that "parsing" can continue up to @0:32 and ICMP packets >> comming in on sis5/OPT4 opefuly get passed to my server. >> >> But, still with my current understanding, all rules that I could add >> on OPT4 would be added to group 600... and still never get matched >> > > Test done... even if I add any2any rules on both (int & ext) interfaces, > no packets get through because the "skip rules sequence" is seems > somehow broken > and rules group of my VOIP/OPT4/sis5 interface never get applied to > connections > coming in on it: > > log: > 12:50:25.257118 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 > 84 icmp echo/0 IN > > ipfstat -nio: > @22 skip 2 in on sis5 from 194.50.78.35/32 to any > @23 skip 1 in on sis5 from 212.103.28.96/29 to any > @24 block in log quick on sis5 from any to any > ... > @32 block in log quick on sis5 from any to any head 600 > @1 pass in log first quick from any to any keep state group 600 > @2 pass in log first quick from any to 192.168.3.3/32 keep state group 600 > @3 pass in log first quick from any to 192.168.1.3/32 keep state group 600 > > Folks, I'm _really_ sorry to bug you all with this issue, but I seem to > be unable to solve it myself and it's a show stopper on the way of a > couple of important > projects. > > Please just tell me if I can post more accurate informations...anything ! > > Thank you in advance > > Bests > Jé > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > |