Re: [m0n0wall] Firewall not respecting rules ?!?

From:	=?ISO-8859-1?Q?Yannick_Br=E9hon?= <y dot brehon at qiplay dot com>
To:	sai <sonicsai at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Firewall not respecting rules ?!?
Date:	Mon, 21 Jul 2008 16:49:54 +0200
Actually that page is for a filtered bridge. This is not my
configuration, since the 2 m0n0wall interfaces have 2 different IP
addresses. I need my configuration to have these 2 subnets connected by
a router and not a switch, this is important.

sai a écrit :
> sorry, I meant http://doc.m0n0.ch/handbook/examples-filtered-bridge.html
> 
> no nat means you want a transparent firewall.
> 
> sai
> 
> 
> On 7/21/08, Yannick Bréhon <y dot brehon at qiplay dot com> wrote:
>> Actually, behind my WAN interface is 192.168.1.0 / 24 and behind my LAN
>>  interface is 192.168.128.0 / 17.
>>  the "real" IP address is behind my ADSL box with 192.168.1.1
>>
>>  So it looks like this:
>>
>>  Internet
>>    |
>>  192.168.1.1
>>    |
>>   ----------
>>   |        |
>>  BOX      Monowall
>>              |_192.168.128.0/17
>>
>>  Problem is that I would like my BOX to SSH into the "monowalled"
>>  network, without NATting through the Monowall, but using "regular" routing.
>>  Is that not possible??
>>
>>
>>  sai a écrit :
>>
>>> assuming your LAN is private IP addresses and your WAN is real ip addresses
>>  >
>>  > <1> you need to add NAT rules.
>>  > <2> ping is not good at being natted....if you have many pings going
>>  > at the same time some may not work
>>  >
>>  > sai
>>  >
>>  >
>>  > On 7/21/08, Yannick Bréhon <y dot brehon at qiplay dot com> wrote:
>>  >> Hello!
>>  >>  I have been using m0n0 for quite a while now as my company's router and
>>  >>  firewall, with great results I must say, but I have recently run into
>>  >>  some trouble while changing things in my network.
>>  >>
>>  >>  I have computers sitting behind the WAN interface, and others behind the
>>  >>  LAN one. Even when I add "pass-all" rules on both those interfaces, (and
>>  >>  reset states), m0n0 doesn't let traffic go from LAN to WAN in some very
>>  >>  specific circumstances. These are resumed here:
>>  >>  LAN will ping WAN without any trouble
>>  >>  WAN will ping LAN, the LAN computers receive the PING request, send a
>>  >>  PING response which is filtered by m0n0.
>>  >>  Same thing with SSH, etc (i.e.: computers sitting on the LAN side can
>>  >>  easily ssh into boxes on the WAN side, but the contrary is not true. WAN
>>  >>  computers receive the TCP open packet, reply, and the m0n0wall filters
>>  >>  this reply)
>>  >>
>>  >>  I even see the firewall log saying it has actively filtered the TCP
>>  >>  responses from LAN to WAN, though I have no "block" rules setup... In
>>  >>  fact there is even a proper state created in the firewall states in the
>>  >>  WAN->LAN direction, and yet the replies are blocked.
>>  >>
>>  >>  I am really puzzled by this behavior, and would appreciate any help and
>>  >>  advice you might have!
>>  >>
>>  >>  Thank you very much,
>>  >>  Yannick
>>  >>
>>  >>  ---------------------------------------------------------------------
>>  >>  To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>  >>  For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>  >>
>>  >>
>>  >
>>  >
>>
> 
>