[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Second m0n0wall as filtering, 1 ethernet interface for in/out
 Date:  Tue, 20 Jul 2004 15:11:14 -0700 (PDT)
On Tue, 20 Jul 2004, Alex Bihlmaier wrote:

> I want to use the m0n0wall software/freebsd package as second packet
> filter in my LAN.

Umm, a "filter" with its inputs and outputs on the same wire?  I fail to
see how that adds any security, since any machine can choose to bypass it.

> There is an existing NAT Gateway and the m0n0wall appliance should be
> the standard gateway in the LAN. Then, the m0n0wall should forward all
> outgoing packets to the existing packet filter.

If you mean that you're putting the m0n0wall on the LAN side of an
existing NAT router, then that's not going to work straightforwardly.  The
inner router would need to do non-NAT routing between two different
subnets, with the machines on each subnet seeing it as the route to the
other.

> I set up the LAN Interface (sis0) correct, in the WAN (sis1) Properties
> i used a host in the network of sis0 as default gateway (netstat -r -n
> confirmes this).

"A host"?  If I understand your setup correctly, the default gateway would
have to be the existing NAT router.

> I can PING an external host, but TCP Communication fails.
> The syslogd shows:
> 
> shuttle ipmon[65]: 13:40:17.999310 sis0 @0:11 b 192.168.222.132,1158 ->
> 83.129.115.238,80 PR tcp len 20 255 -AP IN
> 
> As far as I can see, this packet was captured by ipmon because of the
> default blocking rule.
> BUT I have a allow all rule from this subnet to any.

The user-level rules only affect initial SYN packets.  After that, it's up
to the stateful filtering.  I'm not sure that filtering works correctly at
all when the traffic is coming and going on the same interface.

					Fred Wright