On Aug 30, 2004, at 9:27 PM, Chris Buechler wrote:
>
> Does the machine you are trying to access from have an IP on that
> subnet?  Is the subnet mask on the m0n0wall correct?  Can you ping the
> LAN interface's IP?  If you can't ping that IP from the machine you
> are trying to get to the web interface from, then that machine's
> configuration is likely your problem.

Yes, when changing the LAN interface IP/Mask I also update the DHCP 
range to match.  (Incidently, the gui-conf for the dhcp dynamic range 
showing the correct available range for non /24s, nice touch.)  I've 
tried using DHCP to obtain the ip, as well as hardcoding on the client 
system.  My test system doesn't even get arp established against the 
monowall box.
>
> Many or most firewalls block ICMP by default.  I believe the WAN port
> just drops echo request packets and probably a couple other of the
> unnecessary types, not the couple you don't want to block.  I could
> very well be wrong on that.  Regardless, RFC 2979 says it is
> acceptable to drop echo request packets amongst other types.
>
> I don't see where what it does is inappropriate.
>
> -Chris

Based on what I see, there is a default deny for all inbound packets 
that are not part of an existing outbound session.  I'll dig further on 
this when I get a chance to dump the src somewheres.

ICMP echo is ok to drop, but the as the latter RFC points out other 
ICMP traffic that is bad to wholesale dump as it breaks things like 
path MTU discovery.

Joshua Coombs