[ previous ] [ next ] [ threads ]
 
 From:  Serge Leschinsky <serge at artlife dot tomsknet dot ru>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] firewall perform wonder
 Date:  Fri, 16 Apr 2004 11:19:49 +0400 
Sorry for previous muddy message. There are some info for status.php
in addition.

The question is the following:

Why mark rule (@2 pass) doesn't match with logged packets?

Sorry if it so stupid question.

mono maps:
> ipnat -lv
>
> List of active MAP/Redirect filters:
> bimap vr0 192.168.0.80/32 -> 217.1x.xx.10/32
> map vr0 192.168.0.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
> map vr0 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
> map vr0 192.168.0.0/24 -> 0.0.0.0/32
>
> List of active sessions:
> BIMAP 192.168.0.80    22    <- -> 217.1x.xx.10    22    [195.122.228.2 55198]
> age 441 use 0 sumd 0xb2db/0xb2db pr 6 bkt 1367/1953 flags 1 drop 0/0
> ifp vr0 bytes 220 pkts 4
>
> List of active host mappings:

mono logs:
> 10:59:49.903832 vr1 @0:11 b 192.168.0.80,22 -> 195.122.228.2,55198 PR tcp len 20 60 -AS IN
> 10:59:01.700608 vr1 @0:11 b 192.168.0.80,22 -> 195.122.228.2,55198 PR tcp len 20 60 -AS IN
> 10:58:37.698993 vr1 @0:11 b 192.168.0.80,22 -> 195.122.228.2,55198 PR tcp len 20 60 -AS IN
> 10:58:25.698185 vr1 @0:11 b 192.168.0.80,22 -> 195.122.228.2,55198 PR tcp len 20 60 -AS IN

mono rules:
> $ ipfstat -ni
> @1 pass in quick on lo0 from any to any
> @2 block in log quick from any to any with short
> @3 block in log quick from any to any with ipopt
> @4 pass in quick on vr1 proto udp from any port = 68 to 255.255.255.255/32 port = 67
> @5 pass in quick on vr1 proto udp from any port = 68 to 192.168.0.79/32 port = 67
> @6 block in log quick on vr0 from 192.168.0.0/24 to any
> @7 block in log quick on vr0 proto udp from any port = 67 to 192.168.0.0/24 port = 68
> @8 pass in quick on vr0 proto udp from any port = 67 to any port = 68
> @9 block in log quick on vr1 from !192.168.0.0/24 to any
> @10 skip 1 in proto tcp from any to any flags S/FSRA
> @11 block in log quick proto tcp from any to any
> @12 block in log quick on vr1 from any to any head 100
> @1 pass in quick from 192.168.0.0/24 to 192.168.0.79/32 keep state group 100
> @2 pass in quick proto tcp from 192.168.0.0/24 to any keep state group 100      <<<<<<
!!!!!!!!!!!!!!!
> @3 pass in quick proto icmp from 192.168.0.0/24 to any keep state group 100
> @13 block in log quick on vr0 from any to any head 200
> @1 pass in quick proto tcp from any to any keep state group 200
> @14 block in log quick from any to any



-- 
Best regards,
 Serge                            mailto:serge at artlife dot tomsknet dot ru