[ previous ] [ next ] [ threads ]
 
 From:  Ziekke <ziekke at ziekke dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Filter Rules between LAN/OPT1
 Date:  Sat, 2 Oct 2004 10:44:07 -0400
I've managed to solve this problem. And since I hate when people ask questions,
and solve their problems and dont let others know (in case it happens in the
future), I will let you in.
In addition to the wierd filter issues, I've been having problems with my
interfaces dropping whenever I altered things like the Static Routes, DHCP
settings, Interface settings or even anything on the Advanced page.

This was peculiar, so I decided to strip my m0n0wall down to factory defaults
and manually enter all rules and settings back the way they should be. (In case
something got corrupted or broken at some point).

This seems to have resolved all my rule issues, and my captive portal is now
chugging away happily without being able to access my LAN.

One point to note, backing up the XML configuration and restoring it would not
resolve the issue, even after restoring defaults. This was the first thing I
tried for obvious reasons :)

Hope this helps others in the future (I know there was someone else with the
same issue quite recently ).

Good luck!

Quoting Ziekke <ziekke at ziekke dot net>:

> I've been doing a little more checking on the system and have found a few
> peculiar things.
>
> Any rules that I have added to my Rules section in the webGUI don't seem to
> be
> making it to the ipfw rules list at all (ipfw -d list pasted at bottom).
>
> The rules that I dont see there are, for example:
>
> ---
> Proto: *
> Source: 192.168.8.2
> Port: *
> Destiantion: 192.168.7.5
> Port *
> ---
> Proto: TCP
> Source: LAN net
> Port: *
> Destination: LAN2 net
> Port: *
> ---
>
> Also of possible interest are two rules in the ipfw rule list:
> "01001 allow ip from any to any layer2 not via rl0"
>
> It does not show up in the rules page at all, and from what I make of it, it
> basically means that any traffic going from anywhere to anywhere as long as
> it
> isn't rl0 (which is my WAN interface) will be allowed unconditionally.
>
> The fact that it is the second rule in the list  leads me to believe it is
> nullifying anything else I try to add in to manage my local LAN.
>
> I have no experience whatsoever in reading IPFW rulesets, so if someone could
> give me a little insight on this, whether I've found something, or a possible
> cure to my problem it would be greatly appreciated!
>
> Also, I have disabled the anti-lockout rule on the advanced page in case that
> is
> what is causing my problem, but that didn't solve anything.
>
> $ ipfw -d list
> 01000 skipto 50000 ip from any to any not layer2 not via rl0
> 01001 allow ip from any to any layer2 not via rl0
> 01100 allow ip from any to any layer2 mac-type 0x0806
> 01101 deny ip from any to any layer2 not mac-type 0x0800
> 01102 skipto 20000 ip from any to any layer2
> 01200 allow udp from any 68 to 255.255.255.255 dst-port 67 in
> 01201 allow udp from any 68 to 192.168.8.1 dst-port 67 in
> 01202 allow udp from 192.168.8.1 67 to any dst-port 68 out
> 01203 allow icmp from 192.168.8.1 to any out icmptypes 8
> 01204 allow icmp from any to 192.168.8.1 in icmptypes 0
> 01300 allow udp from any to 192.168.8.1 dst-port 53 in
> 01301 allow udp from 192.168.8.1 53 to any out
> 01302 allow tcp from any to 192.168.8.1 dst-port 8000 in
> 01303 allow tcp from 192.168.8.1 8000 to any out
> 01304 allow tcp from any to 192.168.8.1 dst-port 8001 in
> 01305 allow tcp from 192.168.8.1 8001 to any out
> 10000 skipto 50000 ip from any to 192.168.8.1 in
> 10000 skipto 50000 ip from 192.168.8.1 to any out
> 10001 skipto 50000 ip from any to 192.168.7.1 in
> 10001 skipto 50000 ip from 192.168.7.1 to any out
> 10002 skipto 50000 ip from 192.168.8.2 to any in
> 10002 skipto 50000 ip from any to 192.168.8.2 out
> 19900 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
> 19901 allow tcp from any 80 to any out
> 19902 deny ip from any to any
> 20002 deny ip from 192.168.8.2 not MAC any 00:0c:f1:08:97:48 any layer2 in
> 20002 deny ip from any to 192.168.8.2 not MAC 00:0c:f1:08:97:48 any layer2
> out
> 29900 allow ip from any to any layer2
> 50000 allow ip from 192.168.7.1 to any
> 50001 allow ip from any to 192.168.7.1
> 50002 pipe 1 tcp from 192.168.7.0/24 9180 to not 213.112.232.21 out via ng0
> 50003 pipe 1 tcp from 192.168.7.0/24 1757 to not 213.112.232.21 out via ng0
> 50004 pipe 2 tcp from 192.168.7.3 80 to any out via ng0
> 65535 allow ip from any to any
>
> --
> // Ziekke
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>


--
// Ziekke