Re: [m0n0wall] Failure... Gone back to linux RE: [m0n0wall] Documenting problem RE: [m0n0wall] m0n0wall NAT weirdness (It shouldn't be doing this!)

From:	Fred Wright <fw at well dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Failure... Gone back to linux RE: [m0n0wall] Documenting problem RE: [m0n0wall] m0n0wall NAT weirdness (It shouldn't be doing this!)
Date:	Wed, 26 May 2004 12:22:43 -0700 (PDT)

On Wed, 26 May 2004, C. Falconer wrote:

> Gidday everyone - I've removed m0n0wall as the firewall and returned to
> using linux.
> 
> I have not given up, but having made no real progress I had to back out to a
> working system.

Are you saying that replacing the m0n0wall with a Linux-based firewall and
changing nothing else fixes it?  That's *very* strange - see below.

> Right - I've updated my problem description at
> http://staff.avonside.school.nz/cf/m0n0wall/
> 
> I can see traffic to the inside machine, so m0n0wall is NATting stuff
> correctly.  However the client gets nothing back.

That's because the server is *sending* nothing back.  Since you're running
tcpdump on the server box, and seeing the initial SYN packets coming in,
and seeing nothing going out, the problem is on the server.  Do you have
firewall rules in effect on the server itself?

> Adam - you gave some great advice thanks.  I added the Outbound NAT rule as
> suggested, which didn't help at all.

No surprise.  Outbound NAT is for *outbound* connections.  With UDP,
"outbound" versus "inbound" dsitinctions can get murky, but not so with
TCP.

> Your suggestion of tcpdump helped - it showed that m0n0wall was indeed

Actually mine. :-)

> sending stuff to the internal machine. 

And that it's receiving it, and not responding.

> So from work, I try to get my home web page, and tcpdump shows this:

BTW, if you have access to a shell server (or VPN with outbound WAN
access) anywhere outside, you can use that to test "outside" access from
home, which should make debugging a lot easier.

					Fred Wright