[ previous ] [ next ] [ threads ]
 From:  "Mark Spieth" <mspieth at neod dot net>
 To:  "Martin Holst" <mail at martinh dot dk>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Possible bug: LAN redirection via static route
 Date:  Mon, 17 May 2004 08:58:43 -0400
Did you setup nat rules for the 172.X network? If not it will not work. I have this setup running in
several places and it does work, But you have to use the enable advanced outbound nat and built the
nat tables for the 192 and 172 networks.  

Mark Spieth - Director of Internet Services

Northeast Ohio Digital Inc.


mspieth at neod dot net



CONFIDENTIALITY NOTICE: The materials attached hereto are confidential and the property of the
sender. The information contained in the attached materials is privileged and/or confidential and is
intended only for the use of the above-named individual(s) or entity(ies). If you are not the
intended recipient, be advised that any unauthorized disclosure, copying, distribution or the taking
of any action in reliance on the contents of the attached information is strictly prohibited. If you
have received this transmission in error, please discard the information immediately

-----Original Message-----
From: Martin Holst [mailto:mail at martinh dot dk] 
Sent: Monday, May 17, 2004 8:19 AM
To: m0n0wall at lists dot m0n0 dot ch
Cc: Michael Østergaard Pedersen; Andreas Gracco
Subject: [m0n0wall] Possible bug: LAN redirection via static route

Hi All!

Michael Oestergaard has some problems with a static route for redirection of LAN-traffic (Andreas
Gracco had similar problems)

M0n0wall-LAN is 192.168.1.x.
A static route redirects traffic for 172.16.x.x via (other router)

M0n0wall blocks some of the traffic for 172.16.x.x with default block rule - although there is a
pass-any rule on the LAN-interface.

What could cause m0n0wall to skip this rule:
"@2 pass in quick from to any keep state group 100"
And apply this one instead?
"@68 block in log quick proto tcp from any to any"

The entry in the firewall log looks like this:
22:29:23.387117 dc0 @0:68 b,40452 ->,22 PR tcp len 20 64 -A IN

We're currently discussing whether the pass rule will pass packets - no matter their state?
(Since SYN-packets are allowed to pass)
From the IPfilter HOW-TO it seems that state inspection is only applied on pass rules when FLAGS S
is set in the pass rule.
Looking at the following excerpt from the HOW-TO:

"pass in quick on tun0 proto tcp from any to port = 23 keep state
This is almost, but not quite, satisfactory. The problem is that it's not just SYN packets that're
allowed to go to port 23, any old packet can get through. We can change this by using the flags
pass in quick on tun0 proto tcp from any to port = 23 flags S keep state
Now only TCP packets, destined for, at port 23, with a lone SYN flag will be allowed in
and entered into the state table."

Any ideas as to why traffic is not passed??


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch