[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] sis0 blocking email trafic
 Date:  Sun, 27 Jun 2004 17:19:44 -0700 (PDT) 
On Sun, 27 Jun 2004, Mike Donegi wrote:

> email server             monowall          cisco adsl
> 192.168.0.1----192.168.0.254(sis0) / 10.0.0.1(sis1) -- 10.0.0.254 --internet
> 
> Incoming connection from rule
> pass in log quick proto tcp from 192.148.x.x/32 to 192.168.0.1/32 port = 25
> keep state group 200
> 
> sis1 @200:1 p 192.148.x.x,51256 -> 192.168.0.1,25 PR tcp len 20 48 -S K-S IN
> sis0 @200:1 p 192.148.x.x,51256 -> 192.168.0.1,25 PR tcp len 20 48 -S K-S
> OUT
> 
> But email server syn-ack is blocked by sis0
> 
> sis0 @0:17 b 192.168.0.1,25 -> 192.148.x.x,51251 PR tcp len 20 48 -AS IN
> sis0 @0:17 b 192.168.0.1,25 -> 192.148.x.x,51176 PR tcp len 20 48 -AS IN

But these are for different source ports.  Do you have any cases where the
SYN/ACK is blocked to the *same* port that sent the SYN?

> Rule 17 is the default rule
> block in log quick proto tcp from any to any

Yes, and it shouldn't be reached for a packet with a matching state entry.

					Fred Wright