|
||||||||
Hi Martin, Rule 68 is this one: @68 block in log quick proto tcp from any to any Which seems to be the default block rule. I have thought about a possible cause if this problem. Please correct me if I am wrong. When I try to establish the SSH session to 172.16.1.1 my machine has previously received an ICMP redirect telling it to use 192.168.1.254 as the nexthop. As long as only a few bytes are sent it seems to use this information. However, something strange happen when I have to send more data (which happens after the SSH login is accepted and I get a shell) because now it uses the m0n0wall instead of 192.168.1.254 as the nexthop (this has been confirmed using tcpdump). It's a SUSE Linux 9.0 box and I have no idea why it suddenly don't use the information from the ICMP redirect message anymore. Since the TCP connection was established through 192.168.1.254, when the m0n0wall sees a TCP packet for 172.16.1.1 for which it has never seen the SYN packet used to set up the connection it is dropped because m0n0wall is a stateful firewall and it doesn't recognise the connection. If this is the case there don't seem to be anything that m0n0wall can do. It is a firewall - not a router. Regards, Michael Martin Holst wrote: > Hi Michael! > > Since I haven't toyed much with m0n0wall static routes I can't say for sure how well the implementation works. > > However, it would be rather interesting to have a look at the rule which is apparently blocking the traffic - rule 68, rule group 0 on dc0 interface. > > Could you take at look at rule 68 in your <m0n0wall-IP>/status.php? > > BTW: Andreas Gracco seemed to have a similar problem. > http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=52&actionargs[]=57 > Unfortunately he never got back to me. > > /Martin > > -----Original Message----- > From: Michael Østergaard Pedersen [mailto:michael at bytopia dot dk] > Sent: 15. maj 2004 21:17 > To: m0n0wall at lists dot m0n0 dot ch > Subject: Re: [m0n0wall] Problem with static routes > > Hi, > > Thanks for the reply. I was considering the non-symmetric routes as a > problem, but since TCP connections are identified by source, source port, > destination and destination port I didn't think that it would be a problem > as long as the other host received it's packets. As far as I know the whole > idea of the Internet is that the host doesn't care how the packets are > routed to their destination. > > There seems to be some confusion about states since the m0n0wall are > dropping packets that are clearly allowed in my firewall rules and my guess > is that if these packets made it to their destination the destination would > reply correctly. > > A static route on all hosts on the LAN works fine, but the 172.16.0.0/16 was > just an example. We have over 30 subnets on that MPLS connection and over 40 > workstations on the LAN. Managing static routes is something that I would > prefer to be without :) > > Putting the router on a separate interface on the m0n0wall is something we > will do in the future, but right now we just need something that works as it is. > > Regards, > Michael > > > > -- GnuPG Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xA635F294 Homepage : http://www.carceri.dk |