Rule 68 is this one:
@68 block in log quick proto tcp from any to any
Which seems to be the default block rule.
I have thought about a possible cause if this problem. Please correct me if
I am wrong.
When I try to establish the SSH session to 172.16.1.1 my machine has
previously received an ICMP redirect telling it to use 192.168.1.254 as the
nexthop. As long as only a few bytes are sent it seems to use this
information. However, something strange happen when I have to send more data
(which happens after the SSH login is accepted and I get a shell) because
now it uses the m0n0wall instead of 192.168.1.254 as the nexthop (this has
been confirmed using tcpdump). It's a SUSE Linux 9.0 box and I have no idea
why it suddenly don't use the information from the ICMP redirect message
Since the TCP connection was established through 192.168.1.254, when the
m0n0wall sees a TCP packet for 172.16.1.1 for which it has never seen the
SYN packet used to set up the connection it is dropped because m0n0wall is a
stateful firewall and it doesn't recognise the connection.
If this is the case there don't seem to be anything that m0n0wall can do. It
is a firewall - not a router.
Martin Holst wrote:
> Hi Michael!
> Since I haven't toyed much with m0n0wall static routes I can't say for sure how well the
> However, it would be rather interesting to have a look at the rule which is apparently blocking
the traffic - rule 68, rule group 0 on dc0 interface.
> Could you take at look at rule 68 in your <m0n0wall-IP>/status.php?
> BTW: Andreas Gracco seemed to have a similar problem.
> Unfortunately he never got back to me.
> -----Original Message-----
> From: Michael Østergaard Pedersen [mailto:michael at bytopia dot dk]
> Sent: 15. maj 2004 21:17
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Problem with static routes
> Thanks for the reply. I was considering the non-symmetric routes as a
> problem, but since TCP connections are identified by source, source port,
> destination and destination port I didn't think that it would be a problem
> as long as the other host received it's packets. As far as I know the whole
> idea of the Internet is that the host doesn't care how the packets are
> routed to their destination.
> There seems to be some confusion about states since the m0n0wall are
> dropping packets that are clearly allowed in my firewall rules and my guess
> is that if these packets made it to their destination the destination would
> reply correctly.
> A static route on all hosts on the LAN works fine, but the 172.16.0.0/16 was
> just an example. We have over 30 subnets on that MPLS connection and over 40
> workstations on the LAN. Managing static routes is something that I would
> prefer to be without :)
> Putting the router on a separate interface on the m0n0wall is something we
> will do in the future, but right now we just need something that works as it is.
GnuPG Key: http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0xA635F294
Homepage : http://www.carceri.dk