[ previous ] [ next ] [ threads ]
 
 From:  =?ISO-8859-1?Q?Michael_=D8stergaard_Pedersen?= <michael at bytopia dot dk>
 Cc:  M0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Problem with static routes
 Date:  Sun, 16 May 2004 19:24:30 +0200
Hi Martin,

Rule 68 is this one:

@68 block in log quick proto tcp from any to any

Which seems to be the default block rule.

I have thought about a possible cause if this problem. Please correct me if 
I am wrong.

When I try to establish the SSH session to 172.16.1.1 my machine has 
previously received an ICMP redirect telling it to use 192.168.1.254 as the 
nexthop. As long as only a few bytes are sent it seems to use this 
information. However, something strange happen when I have to send more data 
(which happens after the SSH login is accepted and I get a shell) because 
now it uses the m0n0wall instead of 192.168.1.254 as the nexthop (this has 
been confirmed using tcpdump). It's a SUSE Linux 9.0 box and I have no idea 
why it suddenly don't use the information from the ICMP redirect message 
anymore.

Since the TCP connection was established through 192.168.1.254, when the 
m0n0wall sees a TCP packet for 172.16.1.1 for which it has never seen the 
SYN packet used to set up the connection it is dropped because m0n0wall is a 
stateful firewall and it doesn't recognise the connection.

If this is the case there don't seem to be anything that m0n0wall can do. It 
is a firewall - not a router.

Regards,
Michael

Martin Holst wrote:

> Hi Michael!
> 
> Since I haven't toyed much with m0n0wall static routes I can't say for sure how well the
implementation works.
> 
> However, it would be rather interesting to have a look at the rule which is apparently blocking
the traffic - rule 68, rule group 0 on dc0 interface.
> 
> Could you take at look at rule 68 in your <m0n0wall-IP>/status.php?
> 
> BTW: Andreas Gracco seemed to have a similar problem.
> http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=52&actionargs[]=57
> Unfortunately he never got back to me.
> 
> /Martin
> 
> -----Original Message-----

> Sent: 15. maj 2004 21:17
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Problem with static routes
> 
> Hi,
> 
> Thanks for the reply. I was considering the non-symmetric routes as a 
> problem, but since TCP connections are identified by source, source port, 
> destination and destination port I didn't think that it would be a problem 
> as long as the other host received it's packets. As far as I know the whole 
> idea of the Internet is that the host doesn't care how the packets are 
> routed to their destination.
> 
> There seems to be some confusion about states since the m0n0wall are 
> dropping packets that are clearly allowed in my firewall rules and my guess 
> is that if these packets made it to their destination the destination would 
> reply correctly.
> 
> A static route on all hosts on the LAN works fine, but the 172.16.0.0/16 was 
> just an example. We have over 30 subnets on that MPLS connection and over 40 
> workstations on the LAN. Managing static routes is something that I would 
> prefer to be without :)
> 
> Putting the router on a separate interface on the m0n0wall is something we 
> will do in the future, but right now we just need something that works as it is.
> 
> Regards,
> Michael
> 
> 
> 
> 


-- 
GnuPG Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xA635F294
Homepage : http://www.carceri.dk