[ previous ] [ next ] [ threads ]
 
 From:  "Martin Holst" <mail at martinh dot dk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Cc:  =?iso-8859-1?Q?Michael_=D8stergaard_Pedersen?= <michael at bytopia dot dk>, "Andreas Gracco" <A dot Gr at ims dot ch>
 Subject:  Possible bug: LAN redirection via static route
 Date:  Mon, 17 May 2004 14:19:04 +0200
Hi All!

Michael Oestergaard has some problems with a static route for redirection of LAN-traffic (Andreas
Gracco had similar problems)

M0n0wall-LAN is 192.168.1.x.
A static route redirects traffic for 172.16.x.x via 192.168.1.254 (other router)

M0n0wall blocks some of the traffic for 172.16.x.x with default block rule - although there is a
pass-any rule on the LAN-interface.

What could cause m0n0wall to skip this rule:
"@2 pass in quick from 192.168.1.0/24 to any keep state group 100"
And apply this one instead?
"@68 block in log quick proto tcp from any to any"

The entry in the firewall log looks like this:
22:29:23.387117 dc0 @0:68 b 192.168.1.201,40452 -> 172.16.1.1,22 PR tcp len 20 64 -A IN

We're currently discussing whether the pass rule will pass packets - no matter their state?
(Since SYN-packets are allowed to pass)
From the IPfilter HOW-TO it seems that state inspection is only applied on pass rules when FLAGS S
is set in the pass rule.
Looking at the following excerpt from the HOW-TO:

"pass in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23 keep state
This is almost, but not quite, satisfactory. The problem is that it's not just SYN packets that're
allowed to go to port 23, any old packet can get through. We can change this by using the flags
option:
pass in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23 flags S keep state
Now only TCP packets, destined for 20.20.20.1, at port 23, with a lone SYN flag will be allowed in
and entered into the state table."

Any ideas as to why traffic is not passed??

/Martin