[ previous ] [ next ] [ threads ]
 
 From:  =?ISO-8859-1?Q?Michael_=D8stergaard_Pedersen?= <michael at bytopia dot dk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Possible bug: LAN redirection via static route
 Date:  Mon, 17 May 2004 20:04:41 +0200 
> Group 100 head refers to dc0 interface. (Correct me if I'm wrong Michael).

I wouldn't know... I have absolutely zero knowledge of freebsd. I'm a 
linux guy :)

> Michael: perhaps you could post the rule set with semi-spoofed addresses?

That's a lot of spoofing to do, but here they are:

There are three interfaces on the m0n0wall:

dc0: LAN (192.168.1.0/24) m0n0wall LAN IP: 192.168.1.200
xl1: DMZ (10.10.10.0/24)  m0n0wall DMZ IP: 10.10.10.1
xl2: WAN (80.80.80.0/24)  m0n0wall WAN IP: 80.80.80.210

@1 pass out quick on lo0 from any to any
@2 pass out quick on dc0 proto udp from 192.168.1.200/32 port = 67 to 
any port = 68
@3 pass out quick on xl2 proto udp from any port = 68 to any port = 67
@4 pass out quick on xl2 proto udp from 80.80.80.210/32 port = 500 to any
@5 pass out quick on xl2 proto esp from 80.80.80.210/32 to any
@6 pass out quick on xl2 proto ah from 80.80.80.210/32 to any
@7 pass out quick on dc0 proto udp from 192.168.1.200/32 port = 500 to any
@8 pass out quick on dc0 proto esp from 192.168.1.200/32 to any
@9 pass out quick on dc0 proto ah from 192.168.1.200/32 to any
@10 pass out quick on xl1 proto udp from 10.10.10.1/32 port = 500 to any
@11 pass out quick on xl1 proto esp from 10.10.10.1/32 to any
@12 pass out quick on xl1 proto ah from 10.10.10.1/32 to any
@13 pass out quick on dc0 from any to any keep state
@14 pass out quick on xl2 from any to any keep state
@15 pass out quick on xl1 from any to any keep state
@16 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on dc0 proto udp from any port = 68 to 
255.255.255.255/32 port = 67
@5 pass in quick on dc0 proto udp from any port = 68 to 192.168.1.200/32 
port = 67
@6 block in log quick on xl2 from 192.168.1.0/24 to any
@7 block in log quick on xl2 from 10.10.10.0/24 to any
@8 block in log quick on xl2 proto udp from any port = 67 to 
192.168.1.0/24 port = 68
@9 pass in quick on xl2 proto udp from any port = 67 to any port = 68
@10 skip 45 in on dc0 from 100.12.0.0/16 to any
@11 skip 44 in on dc0 from 100.13.0.0/16 to any
@12 skip 43 in on dc0 from 100.14.0.0/16 to any
@13 skip 42 in on dc0 from 100.15.0.0/16 to any
@14 skip 41 in on dc0 from 100.17.0.0/16 to any
@15 skip 40 in on dc0 from 100.18.0.0/16 to any
@16 skip 39 in on dc0 from 100.19.0.0/16 to any
@17 skip 38 in on dc0 from 100.20.0.0/16 to any
@18 skip 37 in on dc0 from 100.21.0.0/16 to any
@19 skip 36 in on dc0 from 100.24.0.0/16 to any
@20 skip 35 in on dc0 from 100.25.0.0/16 to any
@21 skip 34 in on dc0 from 100.27.0.0/16 to any
@22 skip 33 in on dc0 from 100.29.0.0/16 to any
@23 skip 32 in on dc0 from 100.32.0.0/16 to any
@24 skip 31 in on dc0 from 100.33.0.0/16 to any
@25 skip 30 in on dc0 from 100.34.0.0/16 to any
@26 skip 29 in on dc0 from 100.35.0.0/16 to any
@27 skip 28 in on dc0 from 100.36.0.0/16 to any
@28 skip 27 in on dc0 from 100.37.0.0/16 to any
@29 skip 26 in on dc0 from 100.38.0.0/16 to any
@30 skip 25 in on dc0 from 100.39.0.0/16 to any
@31 skip 24 in on dc0 from 100.40.0.0/16 to any
@32 skip 23 in on dc0 from 100.41.0.0/16 to any
@33 skip 22 in on dc0 from 100.42.0.0/16 to any
@34 skip 21 in on dc0 from 100.43.0.0/16 to any
@35 skip 20 in on dc0 from 100.44.0.0/16 to any
@36 skip 19 in on dc0 from 100.45.0.0/16 to any
@37 skip 18 in on dc0 from 100.46.0.0/16 to any
@38 skip 17 in on dc0 from 100.47.0.0/16 to any
@39 skip 16 in on dc0 from 100.52.0.0/16 to any
@40 skip 15 in on dc0 from 100.53.0.0/16 to any
@41 skip 14 in on dc0 from 100.54.0.0/16 to any
@42 skip 13 in on dc0 from 100.55.0.0/16 to any
@43 skip 12 in on dc0 from 100.56.0.0/16 to any
@44 skip 11 in on dc0 from 100.57.0.0/16 to any
@45 skip 10 in on dc0 from 100.58.0.0/16 to any
@46 skip 9 in on dc0 from 100.60.0.0/16 to any
@47 skip 8 in on dc0 from 100.61.0.0/16 to any
@48 skip 7 in on dc0 from 100.65.0.0/16 to any
@49 skip 6 in on dc0 from 100.66.0.0/16 to any
@50 skip 5 in on dc0 from 10.82.0.0/16 to any
@51 skip 4 in on dc0 from 100.81.0.0/16 to any
@52 skip 3 in on dc0 from 172.16.0.0/16 to any
@53 skip 2 in on dc0 from 100.80.0.0/16 to any
@54 skip 1 in on dc0 from 192.168.1.0/24 to any
@55 block in log quick on dc0 from any to any
@56 skip 1 in on xl1 from 10.10.10.0/24 to any
@57 block in log quick on xl1 from any to any
@58 pass in quick on xl2 proto udp from any to 80.80.80.210/32 port = 500
@59 pass in quick on xl2 proto esp from any to 80.80.80.210/32
@60 pass in quick on xl2 proto ah from any to 80.80.80.210/32
@61 pass in quick on dc0 proto udp from any to 192.168.1.200/32 port = 500
@62 pass in quick on dc0 proto esp from any to 192.168.1.200/32
@63 pass in quick on dc0 proto ah from any to 192.168.1.200/32
@64 pass in quick on xl1 proto udp from any to 10.10.10.1/32 port = 500
@65 pass in quick on xl1 proto esp from any to 10.10.10.1/32
@66 pass in quick on xl1 proto ah from any to 10.10.10.1/32
@67 skip 1 in proto tcp from any to any flags S/FSRA
@68 block in log quick proto tcp from any to any
@69 block in log quick on dc0 from any to any head 100
@1 pass in quick from 192.168.1.0/24 to 192.168.1.200/32 keep state 
group 100
@2 pass in quick from 192.168.1.0/24 to any keep state group 100
@70 block in log quick on xl2 from any to any head 200
@1 pass in quick proto gre from any to 127.0.0.1/32 keep state group 200
@2 pass in quick proto tcp from any to 127.0.0.1/32 port = 1723 keep 
state group 200
@3 pass in quick proto tcp from any to 192.168.1.2/32 port = 443 keep 
state group 200
@4 pass in quick proto tcp from any to 192.168.1.2/32 port = 993 keep 
state group 200
@5 pass in quick proto tcp from any to 192.168.1.2/32 port = 995 keep 
state group 200
@6 pass in quick proto tcp from 184.239.133.2/32 to 10.10.10.237/32 port 
= 25 keep state group 200
@7 pass in quick proto tcp from 184.239.133.2/32 to 10.10.10.238/32 port 
= 25 keep state group 200
@8 pass in quick proto tcp from 184.182.251.10/32 to 10.10.10.238/32 
port = 5000 keep state group 200
@9 pass in quick proto tcp from any to 10.10.10.43/32 port = 80 keep 
state group 200
@10 pass in quick proto tcp from any to 10.10.10.44/32 port = 25 keep 
state group 200
@11 pass in quick proto tcp/udp from any to 10.10.10.200/32 port = 
domain keep state group 200
@12 pass in quick proto tcp from any to 10.10.10.200/32 port = 443 keep 
state group 200
@13 pass in quick proto tcp from any to 10.10.10.201/32 port = 80 keep 
state group 200
@14 pass in quick proto tcp from any to 10.10.10.201/32 port = 443 keep 
state group 200
@15 pass in quick proto tcp from any to 10.10.10.201/32 port = 2401 keep 
state group 200
@16 pass in quick proto tcp from any to 10.10.10.201/32 port = 21 keep 
state group 200
@17 pass in quick proto tcp from any to 10.10.10.45/32 port = 25 keep 
state group 200
@18 pass in quick proto tcp from any to 10.10.10.45/32 port = 80 keep 
state group 200
@19 pass in quick proto tcp from any to 10.10.10.46/32 port = 80 keep 
state group 200
@71 block in log quick on xl1 from any to any head 300
@1 pass in quick proto tcp from 10.10.10.44/32 to 192.168.1.2/32 port = 
25 keep state group 300
@2 block in quick from any to 192.168.1.0/24 group 300
@3 pass in quick from 10.10.10.0/24 to any keep state group 300
@72 pass in quick on ng1 from any to any keep state
@73 pass in quick on ng2 from any to any keep state
@74 pass in quick on ng3 from any to any keep state
@75 pass in quick on ng4 from any to any keep state
@76 pass in quick on ng5 from any to any keep state
@77 pass in quick on ng6 from any to any keep state
@78 pass in quick on ng7 from any to any keep state
@79 pass in quick on ng8 from any to any keep state
@80 pass in quick on ng9 from any to any keep state
@81 pass in quick on ng10 from any to any keep state
@82 pass in quick on ng11 from any to any keep state
@83 pass in quick on ng12 from any to any keep state
@84 pass in quick on ng13 from any to any keep state
@85 pass in quick on ng14 from any to any keep state
@86 pass in quick on ng15 from any to any keep state
@87 pass in quick on ng16 from any to any keep state
@88 block in log quick from any to any

>  - and again perhaps create a specific rule for the SSH-packets which were blocked - with logging
enabled.

As soon as I get the chance to do that I will

-Michael