[ previous ] [ next ] [ threads ]
 
 From:  eric at ericmagny dot com
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Filter blocking (small) Packets ?
 Date:  Fri, 30 Jul 2004 16:35:10 -0400 
Hi there,

When I pick a look to my filter log, I can see a lot of these errors:

Jul 30 16:19:25 router1 ipmon[75]: 16:19:25.174400 sis1 @0:18 b x.x.209.66,80 -
> x.x.209.75,1579 PR tcp len 20 48 -AS IN
Jul 30 16:19:25 router1 ipmon[75]: 16:19:25.174452 sis1 @0:18 b x.x.209.66,80 -
> x.x.209.75,1577 PR tcp len 20 48 -AS IN
Jul 30 16:26:46 router1 ipmon[75]: 16:26:45.484354 sis1 @0:14 b 
x.x.24.181,5554 -> x.x.71.229,4331 PR tcp len 20 40 -AR IN
Jul 30 16:26:47 router1 ipmon[75]: 16:26:46.156576 sis1 @0:14 b 
x.x.24.181,9898 -> x.x.71.229,4790 PR tcp len 20 40 -AR IN
Jul 30 16:28:39 router1 ipmon[75]: 16:28:38.775352 4x sis0 @0:18 b 
142.217.205.70,80 -> x.x.209.76,1100 PR tcp len 20 762 -A IN
Jul 30 16:35:53 router1 ipmon[75]: 16:35:52.475592 sis1 @0:14 b 
x.x.24.181,2745 -> x.x.4.128,3155 PR tcp len 20 40 -AR IN
Jul 30 16:35:53 router1 ipmon[75]: 16:35:52.488054 sis1 @0:14 b 
x.x.24.181,1025 -> x.x.4.128,3167 PR tcp len 20 40 -AR IN
Jul 30 16:35:53 router1 ipmon[75]: 16:35:52.493003 sis1 @0:14 b 
x.x.24.181,3127 -> x.x.4.128,3195 PR tcp len 20 40 -AR IN
Jul 30 16:35:53 router1 ipmon[75]: 16:35:52.498031 sis1 @0:14 b 
x.x.24.181,6129 -> x.x.4.128,3254 PR tcp len 20 40 -AR IN
Jul 30 16:35:53 router1 ipmon[75]: 16:35:52.508042 sis1 @0:14 b x.x.24.181,80 -
> x.x.4.128,3326 PR tcp len 20 40 -AR IN
Jul 30 16:35:56 router1 ipmon[75]: 16:35:55.483284 sis1 @0:14 b 
x.x.24.181,2745 -> x.x.4.128,3155 PR tcp len 20 40 -AR IN
Jul 30 16:35:56 router1 ipmon[75]: 16:35:55.488119 sis1 @0:14 b 
x.x.24.181,1025 -> x.x.4.128,3167 PR tcp len 20 40 -AR IN
Jul 30 16:35:56 router1 ipmon[75]: 16:35:55.493363 sis1 @0:14 b 
x.x.24.181,3127 -> x.x.4.128,3195 PR tcp len 20 40 -AR IN
Jul 30 16:35:56 router1 ipmon[75]: 16:35:55.493441 sis1 @0:14 b 
x.x.24.181,6129 -> x.x.4.128,3254 PR tcp len 20 40 -AR IN
Jul 30 16:35:56 router1 ipmon[75]: 16:35:55.500710 sis1 @0:14 b x.x.24.181,80 -
> x.x.4.128,3326 PR tcp len 20 40 -AR IN
Jul 30 16:36:02 router1 ipmon[75]: 16:36:01.515966 sis1 @0:14 b x.x.24.181,80 -
> x.x.4.128,3326 PR tcp len 20 40 -AR IN
Jul 30 16:36:02 router1 ipmon[75]: 16:36:01.520890 sis1 @0:14 b 
x.x.24.181,6129 -> x.x.4.128,3254 PR tcp len 20 40 -AR IN
Jul 30 16:36:02 router1 ipmon[75]: 16:36:01.526013 sis1 @0:14 b 
x.x.24.181,3127 -> x.x.4.128,3195 PR tcp len 20 40 -AR IN
Jul 30 16:36:02 router1 ipmon[75]: 16:36:01.526280 sis1 @0:14 b 
x.x.24.181,1025 -> x.x.4.128,3167 PR tcp len 20 40 -AR IN
Jul 30 16:36:02 router1 ipmon[75]: 16:36:01.526618 sis1 @0:14 b 
x.x.24.181,2745 -> x.x.4.128,3155 PR tcp len 20 40 -AR IN
Jul 30 16:36:10 router1 ipmon[75]: 16:36:09.815477 sis1 @0:18 b x.x.209.66,80 -
> x.x.209.75,1808 PR tcp len 20 48 -AS IN
Jul 30 16:36:13 router1 ipmon[75]: 16:36:12.762818 2x sis1 @0:18 b 
x.x.209.66,80 -> x.x.209.75,1808 PR tcp len 20 48 -AS IN
Jul 30 16:36:19 router1 ipmon[75]: 16:36:18.784630 2x sis1 @0:18 b 
x.x.209.66,80 -> x.x.209.75,1808 PR tcp len 20 48 -AS IN
Jul 30 16:38:21 router1 ipmon[75]: 16:38:21.444225 sis1 @0:14 b 
x.x.24.181,2745 -> x.x.54.116,1883 PR tcp len 20 40 -AR IN
Jul 30 16:38:21 router1 ipmon[75]: 16:38:21.449306 sis1 @0:14 b 
x.x.24.181,1025 -> x.x.54.116,1885 PR tcp len 20 40 -AR IN
Jul 30 16:38:21 router1 ipmon[75]: 16:38:21.456479 sis1 @0:14 b 
x.x.24.181,3127 -> x.x.54.116,1889 PR tcp len 20 40 -AR IN
Jul 30 16:38:21 router1 ipmon[75]: 16:38:21.461417 sis1 @0:14 b 
x.x.24.181,6129 -> x.x.54.116,1893 PR tcp len 20 40 -AR IN
Jul 30 16:38:24 router1 ipmon[75]: 16:38:24.432198 sis1 @0:14 b 
x.x.24.181,2745 -> x.x.54.116,1883 PR tcp len 20 40 -AR IN
Jul 30 16:38:24 router1 ipmon[75]: 16:38:24.434274 sis1 @0:14 b 
x.x.24.181,1025 -> x.x.54.116,1885 PR tcp len 20 40 -AR IN
Jul 30 16:38:24 router1 ipmon[75]: 16:38:24.439241 sis1 @0:14 b 
x.x.24.181,3127 -> x.x.54.116,1889 PR tcp len 20 40 -AR IN
Jul 30 16:38:24 router1 ipmon[75]: 16:38:24.444148 sis1 @0:14 b 
x.x.24.181,6129 -> x.x.54.116,1893 PR tcp len 20 40 -AR IN
Jul 30 16:38:30 router1 ipmon[75]: 16:38:30.452031 sis1 @0:14 b 
x.x.24.181,6129 -> x.x.54.116,1893 PR tcp len 20 40 -AR IN
Jul 30 16:38:30 router1 ipmon[75]: 16:38:30.457070 sis1 @0:14 b 
x.x.24.181,3127 -> x.x.54.116,1889 PR tcp len 20 40 -AR IN
Jul 30 16:38:30 router1 ipmon[75]: 16:38:30.464507 sis1 @0:14 b 
x.x.24.181,1025 -> x.x.54.116,1885 PR tcp len 20 40 -AR IN
Jul 30 16:38:30 router1 ipmon[75]: 16:38:30.469522 sis1 @0:14 b 
x.x.24.181,2745 -> x.x.54.116,1883 PR tcp len 20 40 -AR IN
Jul 30 16:51:01 router1 ipmon[75]: 16:51:00.697845 sis1 @0:18 b x.x.209.66,80 -
> x.x.209.75,1834 PR tcp len 20 48 -AS IN


I'm using now Monowall 1.1b15 (previously last release, I try beta to solve 
this probs..)
I'm using a soekris 4821 board with 3 interfaces.

Here is (from status.php page) rules list:

@1 pass out quick on lo0 from any to any
@2 pass out quick on sis1 proto udp from x.x.209.65/32 port = 67 to any port = 
68
@3 pass out quick on sis2 proto udp from x.x.209.94/32 port = 67 to any port = 
68
@4 pass out quick on sis0 proto udp from any port = 68 to any port = 67
@5 pass out quick on sis1 from any to any keep state
@6 pass out quick on sis0 from any to any keep state
@7 pass out quick on sis2 from any to any keep state
@8 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on sis1 proto udp from any port = 68 to 255.255.255.255/32 
port = 67
@5 pass in quick on sis1 proto udp from any port = 68 to x.x.209.65/32 port = 
67
@6 pass in quick on sis2 proto udp from any port = 68 to 255.255.255.255/32 
port = 67
@7 pass in quick on sis2 proto udp from any port = 68 to x.x.209.94/32 port = 
67
@8 block in log quick on sis0 from x.x.209.64/29 to any
@9 block in log quick on sis0 from x.x.209.80/28 to any
@10 block in log quick on sis0 proto udp from any port = 67 to x.x.209.64/29 
port = 68
@11 pass in quick on sis0 proto udp from any port = 67 to any port = 68
@12 skip 2 in on sis1 from x.x.209.72/29 to any
@13 skip 1 in on sis1 from x.x.209.64/29 to any
@14 block in log quick on sis1 from any to any
@15 skip 1 in on sis2 from x.x.209.80/28 to any
@16 block in log quick on sis2 from any to any
@17 skip 1 in proto tcp from any to any flags S/FSRA
@18 block in log quick proto tcp from any to any
@19 block in log quick on sis1 from any to any head 100
@1 pass in quick from x.x.209.64/29 to x.x.209.65/32 keep state group 100
@2 pass in quick from any to any keep state keep frags group 100
@20 block in log quick on sis0 from any to any head 200
@1 pass in quick from any to any keep state keep frags group 200
@21 block in log quick on sis2 from any to any head 300
@1 pass in quick from any to any keep state keep frags group 300
@22 block in log quick from any to any


There is a lot of stuff in there, because the only rules configured in web 
interface are:

WAN:   source:any  Dest.:any  (allow frag packets)
LAN:   source:any  Dest.:any  (allow frag packets)
OPT1:   source:any  Dest.:any  (allow frag packets)

Last thing, I'm using monowall as 'real' router.  No NAT.  On all 3 interface 
there is a public IP add.    And when one error occurs in filter log, a web 
page (or outlook freeze in retreiving mail) cannot be displayed in browser.

I hope someone here can help me,

Best Regards,

eric.



-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/