Re: [m0n0wall] Simple NAT configuration fails

From:	"Ernie Zingleman" <ks4q at zingleman dot com>
To:	<m0n0wall at lists dot m0n0 dot ch>
Cc:	"Gordon Day" <gordon at deepcovelabs dot com>
Subject:	Re: [m0n0wall] Simple NAT configuration fails
Date:	Mon, 27 Sep 2004 21:32:40 -0400
I don't know if anyone else has suggested this and perhaps you've already 
double checked this....

Did you check to see that a firewall rule was created to allow the host on 
the inside of your firewall to communicate with the outside world?
I'm unsure if this one is automatically created. The below is what is on my 
M0n0wall installation screen for my rule allowing inside hosts to contact 
the outside world. Some may choose to make their rules more restrictive than 
this to prevent trojans from 'phoning home'.

Regards, Ernie KS4Q



      Action  Pass Block Reject
      Choose what to do with packets that match the criteria specified 
below.
      Hint: the difference between block and reject is that with reject, a 
packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, 
whereas with block the packet is dropped silently. In either case, the 
original packet is discarded. Reject only works when the protocol is set to 
either TCP or UDP (but not "TCP/UDP") below.
      Disabled  Disable this rule
      Set this option to disable this rule without removing it from the 
list.
      Interface  WAN LAN PPTP DMZ
      Choose on which interface packets must come in to match this rule.
      Protocol  TCP UDP TCP/UDP ICMP ESP AH GRE IPv6 IGMP any
      Choose which IP protocol this rule should match.
      Hint: in most cases, you should specify TCP  here.
      Source  not
      Use this option to invert the sense of the match.

            Type:    any Single host or alias Network LAN subnet PPTP 
clients DMZ subnet
            Address:    /  31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

      Source port range  from:    (other) any FTP SSH Telnet SMTP DNS HTTP 
POP3 IMAP HTTPS
            to:  (other) any FTP SSH Telnet SMTP DNS HTTP POP3 IMAP HTTPS

      Specify the port or port range for the source of the packet for this 
rule.
      Hint: you can leave the 'to' field empty if you only want to filter a 
single port
      Destination  not
      Use this option to invert the sense of the match.

            Type:    any Single host or alias Network LAN subnet PPTP 
clients DMZ subnet
            Address:    /  31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

      Destination port range  from:    (other) any FTP SSH Telnet SMTP DNS 
HTTP POP3 IMAP HTTPS
            to:  (other) any FTP SSH Telnet SMTP DNS HTTP POP3 IMAP HTTPS

      Specify the port or port range for the destination of the packet for 
this rule.
      Hint: you can leave the 'to' field empty if you only want to filter a 
single port
      Fragments  Allow fragmented packets
      Hint: this option puts additional load on the firewall and may make it 
vulnerable to DoS attacks. In most cases, it is not needed. Try enabling it 
if you have troubles connecting to certain sites.
      Log  Log packets that are handled by this rule
      Hint: the firewall has limited local log space. Don't turn on logging 
for everything. If you want to do a lot of logging, consider using a remote 
syslog server (see the Diagnostics: System logs: Settings page).
      Description
      You may enter a description here for your reference (not parsed).



      *  LAN net  *  *  *  Default LAN -> any



----- Original Message ----- 
From: "Gordon Day" <gordon at deepcovelabs dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Monday, September 27, 2004 8:24 PM
Subject: [m0n0wall] Simple NAT configuration fails


> Like a number of others on the mailing list, I've found that a very simple 
> NAT configuration does not work with m0n0 wall. My setup is simply:
>
> any.host.com   -->  m0n0 (WAN IP a.b.c.d, port 25)
>
> m0n0 inbound NAT a.b.c.d, port 25 -->  internal server (LAN IP 10.0.0.8, 
> port 25)
>
> I created the NAT configuration and allowed m0n0 to create the firewall 
> rule automatically but no joy.  I've tried creating the rules by hand but 
> this has the same result.  If I examine the firewall log page it shows the 
> incoming connections to the firewall, but the traffic never reaches the 
> internal mail server (I've attached a snapshot of the log).  The only odd 
> thing I've noticed is that there are two log entries for each connection 
> attempt, one on the WAN i/f  and one on the LAN i/f but they look 
> identical,which isn't what I would expect.
>
> My m0n0wall version is 1.1.  Any suggestions would be gratefully received.
>
> Cheers,
>
> Gordon Day.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>