[ previous ] [ next ] [ threads ]
 
 From:  =?ISO-8859-1?Q?Michael_=D8stergaard_Pedersen?= <michael at bytopia dot dk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Possible bug: LAN redirection via static route
 Date:  Tue, 18 May 2004 14:19:57 +0200 (CEST)
Here is even more information about my problem.

My only LAN rule is to accept all traffic coming in on the LAN interface.
I added an additional rule to log all packets that had a SSH port as
destination port. Now the log looks like this when I try to SSH to
172.16.1.1:

14:08:00.260010 dc0 @100:2 p 192.168.1.201,43411 -> 172.16.1.1,22 PR tcp
len 20 60 -S K-S K-F IN

14:08:00.260053 dc0 @100:2 p 192.168.1.201,43411 -> 172.16.1.1,22 PR tcp
len 20 60 -S K-S K-F OUT

14:08:00.260095 dc0 @-1:-1 p 192.168.1.200 -> 192.168.1.201 PR icmp len 20
56 icmp redirect/host for 192.168.1.201,43411 - 172.16.1.1,22 PR tcp len
20 60 K-S K-F OUT

14:10:02.614321 dc0 @0:68 b 192.168.1.201,43411 -> 172.16.1.1,22 PR tcp
len 20 52 -AF IN

This is consistent with what happens in the earlier description I gave.
First the SYN packet goes to the m0n0wall which is forwarded to the router
at 192.168.1.254. After that an ICMP redirect is sent to my host from the
m0n0wall to tell it the best direct route. When my host later tries to
send SSH packets to 172.16.1.1 through the m0n0wall the packets are
dropped.

The new firewall rule that logs the first three packets is:

@2 pass in log quick proto tcp from any to any port = 22 keep state group 100

But for some reason this rule does not match the last packet logged since
it is dropped.

-Michael