[ previous ] [ next ] [ threads ]
 
 From:  Sven Brill <madde at gmx dot net>
 To:  "Brieseneck, Arne, VF-Group" <Arne dot Brieseneck at vodafone dot com>
 Cc:  Monowall Support List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] RE: SSH rule dows not work
 Date:  Wed, 12 Sep 2007 16:12:30 -0400
Brieseneck, Arne, VF-Group wrote:
> Why NAT?
> I don't want to NAT anything. 
>   
So if I understand your previous postings correctly, the setup is up and 
running, with the

- WAN IP being 10.5.40.20, and the
- gateway being 10.5.40.1

so the WAN is not a direct Internet connection, which is fine. 
Furthermore, your LAN is

- 192.168.50.128/26

and one host (192.168.50.190) is running sshd there. You described 
earlier that "everything works" if you allow all traffic in all 
directions, is that correct? I just want to rule out any routing issues, 
since the ssh client machine appears to reside somewhere else on the 
LAN, thus your router at 10.5.40.1 must know to route all packets 
destined for 192.168.50.190 to the gateway 10.5.40.20. If all this is 
correct and you know it works with an any:any rule both incoming and 
outgoing, I would recommend turning on all logging when you try to 
restrict the traffic to only allow access to 192.168.50.190:22/tcp and 
paste the result here, both before and after you put the rule in place.

If you feel you can describe it bette rin German, I think the list 
decided a long time ago to allow any language, the response pool might 
just be smaller.

Sven

P.S.: was that the full config.xml you posted or did you omit anything 
besides password hashes? I am just curious because I am either blind or 
I need a drink, but I don't see the firewall rule.
>
>
> -----Original Message-----
> From: Chris Buechler [mailto:cbuechler at gmail dot com] 
> Sent: Mittwoch, 12. September 2007 20:27
> To: Brieseneck, Arne, VF-Group
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] RE: SSH rule dows not work
>
> You don't have any NAT rules. Go to Inbound NAT as others said previously and add it properly.
>
>
> On 9/12/07, Brieseneck, Arne, VF-Group <Arne dot Brieseneck at vodafone dot com> wrote:
>   
>> <?xml version="1.0"?>
>> <m0n0wall>
>>     <version>1.6</version>
>>     <lastchange>1189620245</lastchange>
>>     <system>
>>         <hostname>dmzfw</hostname>
>>         <domain>local</domain>
>>         <dnsallowoverride/>
>>         <username>admin</username>
>>         <password>xxxxx</password>
>>         <timezone>Europe/Berlin</timezone>
>>         <time-update-interval>300</time-update-interval>
>>         <timeservers>192.168.50.129</timeservers>
>>         <webgui>
>>             <protocol>http</protocol>
>>             <port/>
>>         </webgui>
>>     </system>
>>     <interfaces>
>>         <lan>
>>             <if>vxn1</if>
>>             <ipaddr>192.168.50.185</ipaddr>
>>             <subnet>26</subnet>
>>             <media/>
>>             <mediaopt/>
>>         </lan>
>>         <wan>
>>             <if>vxn0</if>
>>             <mtu/>
>>             <media/>
>>             <mediaopt/>
>>             <ipaddr>10.5.40.20</ipaddr>
>>             <subnet>24</subnet>
>>             <gateway>10.5.40.1</gateway>
>>             <spoofmac/>
>>         </wan>
>>     </interfaces>
>>     <staticroutes>
>>         <route>
>>             <interface>wan</interface>
>>             <network>192.168.61.0/24</network>
>>             <gateway>10.5.40.120</gateway>

>>         </route>
>>     </staticroutes>
>>     <pppoe/>
>>     <pptp/>
>>     <bigpond/>
>>     <dyndns>
>>         <type>dyndns</type>
>>         <username/>
>>         <password/>
>>         <host/>
>>         <mx/>
>>         <server/>
>>         <port/>
>>     </dyndns>
>>     <dnsupdate/>
>>     <dhcpd>
>>         <lan>
>>             <range>
>>                 <from>192.168.1.100</from>
>>                 <to>192.168.1.199</to>
>>             </range>
>>         </lan>
>>     </dhcpd>
>>     <pptpd>
>>         <mode/>
>>         <redir/>
>>         <localip/>
>>         <remoteip/>
>>     </pptpd>
>>     <dnsmasq>
>>         <enable/>
>>     </dnsmasq>
>>     <snmpd>
>>         <syslocation/>
>>         <syscontact/>
>>         <rocommunity>public</rocommunity>
>>     </snmpd>
>>     <diag>
>>         <ipv6nat>
>>             <ipaddr/>
>>         </ipv6nat>
>>     </diag>
>>     <bridge/>
>>     <syslog/>
>>     <nat/>
>>     <filter>
>>         <rule>
>>             <type>pass</type>
>>             <interface>wan</interface>
>>             <source>
>>                 <any/>
>>             </source>
>>             <destination>
>>                 <any/>
>>             </destination>
>>             <descr/>
>>         </rule>
>>         <rule>
>>             <type>pass</type>
>>             <interface>lan</interface>
>>             <source>
>>                 <any/>
>>             </source>
>>             <destination>
>>                 <any/>
>>             </destination>
>>             <descr/>
>>         </rule>
>>     </filter>
>>     <shaper/>
>>     <ipsec/>
>>     <aliases/>
>>     <proxyarp/>
>>     <wol/>
>>     <vlans>
>>         <vlan>
>>             <if>vxn0</if>
>>             <tag>4</tag>
>>         </vlan>
>>         <vlan>
>>             <if>vxn1</if>
>>             <tag>3</tag>
>>         </vlan>
>>     </vlans>
>> </m0n0wall>
>>     
>>
>
>