[ previous ] [ next ] [ threads ]
 
 From:  =?UTF-8?B?SsOpcsOpbWllIFRhcm90?= <jeremie dot tarot at free dot fr>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1:1 (onetoone) NAT & filtering [SOS][URGENT]
 Date:  Tue, 21 Aug 2007 11:09:06 +0200
Hi,

Should I try 1.3b3 to see if it fixes this problem ?

Bests
JT

Jérémie Tarot a écrit :
> Hi
> 
> Jérémie Tarot a écrit :
>> Hi,
>>
>> Jérémie Tarot a écrit :
>>> Hi,
>>>
>>> @ krt: "Block private networks" is not checked in WAN interface 
>>> config, but anyway, only OPT2/3/4 are involved here isn't it ?
>>>
>>> Christopher M. Iarocci a écrit :
>>>> ...  I do have a question though.  Do you have rules in BOTH 
>>>> directions?  You only stated you have a rule coming into your 
>>>> network but showed us no rules going out.  OPT interfaces do not 
>>>> have default rules set up, so it would be helpful to see exactly 
>>>> what you have set up.
>>>>
>>>
>>> Sorry, forgot to mention this one set on OPT2(VOIP):
>>>
>>>  ICMP       asterisk       *       *       *       DEBUG: Ping To Any
>>>
>>
>> Sorry for replying to myself but I have kept on searching the source 
>> of my
>> problem (which have lead me to learn the basics of IPFilter thanks to 
>> links
>> found on ML archive and FreeBSD's man pages)... is it me or is IPF 
>> syntax much easier to read than IPTables' one ?
>>
>> Anyway, tuning a few option in m0n0 like logging default rule & 
>> showing raw logs... I've come to think that packets coming in on my 
>> brand new SDSL link never get passed by the rules configured on my 
>> OPT4 interface because they match the default block rule for the 
>> interface before:
>>
>> * Raw log messages:
>>
>> 15:08:56.910777 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 
>> 84 icmp echo/0 IN
>> 15:08:55.910679 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 
>> 84 icmp echo/0 IN
>> 15:08:54.910658 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 
>> 84 icmp echo/0 IN
>>
>> * Stripped, hopefuly relevant IPF config:
>>
>> @1 ...
>> @2 block in log quick from any to any with short
>> @3 block in log quick from any to any with ipopt
>> @4 ...
>> @22 skip 2 in on sis5 from 194.50.78.35/32 to any
>> @23 skip 1 in on sis5 from 212.103.28.96/29 to any
>> @24 block in log quick on sis5 from any to any
>> @25 skip 1 in proto tcp from any to any flags S/FSRA
>> @26 block in log quick proto tcp from any to any
>> @27 ...
>> @32 block in log quick on sis5 from any to any head 600
>> @1 pass in log first quick from any to 192.168.3.3/32 keep state group 
>> 600
>> @2 pass in log first quick from any to 192.168.1.3/32 keep state group 
>> 600
>> @33 ...
>> @49 block in log quick from any to any
>>
>> So if I have correctly understood IPF and the way it gets configured 
>> in m0n0wall, I should have a rule that skip @0:24, like @0:22 or 
>> @0:23, so that "parsing" can continue up to @0:32 and ICMP packets 
>> comming in on sis5/OPT4 opefuly get passed to my server.
>>
>> But, still with my current understanding, all rules that I could add 
>> on OPT4 would be added to group 600... and still never get matched
>>
> 
> Test done... even if I add any2any rules on both (int & ext) interfaces, 
> no packets get through because the "skip rules sequence" is seems 
> somehow broken
> and rules group of my VOIP/OPT4/sis5 interface never get applied to 
> connections
> coming in on it:
> 
> log:
> 12:50:25.257118 sis5 @0:24 b 82.243.5.59 -> 192.168.3.3 PR icmp len 20 
> 84 icmp echo/0 IN
> 
> ipfstat -nio:
> @22 skip 2 in on sis5 from 194.50.78.35/32 to any
> @23 skip 1 in on sis5 from 212.103.28.96/29 to any
> @24 block in log quick on sis5 from any to any
> ...
> @32 block in log quick on sis5 from any to any head 600
> @1 pass in log first quick from any to any keep state group 600
> @2 pass in log first quick from any to 192.168.3.3/32 keep state group 600
> @3 pass in log first quick from any to 192.168.1.3/32 keep state group 600
> 
> Folks, I'm _really_ sorry to bug you all with this issue, but I seem to 
> be unable to solve it myself and it's a show stopper on the way of a 
> couple of important
> projects.
> 
> Please just tell me if I can post more accurate informations...anything !
> 
> Thank you in advance
> 
> Bests
> Jé
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>