News: This forum is now permanently frozen.
Pages: [1]
Topic: Bypass of rules  (Read 4407 times)
« on: April 28, 2008, 09:19:36 »
Tgellan *
Posts: 10

Hi,

I'm currently using version 1.233 but I saw this issue already on older releases.
I do log my traffic to a syslog server.

It seems to me that on some special cases m0n0wall sometimes either logs traffic wrongly or it skips a rule or two... Let me explain:

I have some rules (of course) but here are the two relevant ones on the LAN interface:
   - Allow (NO LOG) TCP  LAN net/*  */443      (Number 5 of rules, included inactives)
   - Block (LOG)        *           */*       */*         (Last rule)

But I keep logging the following line every 5 minutes:
2008-04-11 17:03:03   Local0.Warning   <LAN net IP>   Apr 11 17:03:02 ipmon[86]: 17:03:01.322544 fxp0 @0:11 b <LAN net IP> (laptop.local) ,3985 -> 194.x.x.x (unresolved) ,443 PR tcp len 20 40 -AR IN

 - I verified that the logged IP is really in the range of the LAN net
 - The laptop was on during the weekend with some browsers still running -> generating traffic
 - The destination IP is the webmail server of my provider
 - The webmail was logged in during that time, and didn't time out, thus there was definitively some traffic on port 443
 - It was the only https connection during the weekend

Maybe I missed something, but as to my understandment, I should never see any traffic originating from LAN net about https traffic...? Em, I also verified the rules above the https one, they only consider the destination ports 21, 23 and 80, so they are not to considered....
What confuses me most, is the fact that in general I do not see any traffic on port 443. It seems to me that this only occures when the laptop sits idle for quite some time. That means screenlock, hibernation is disactivated as it's the syslog server... I suspect a relation with the DHCP server from m0n0wall, but the logs say that it just does fine. Well I can see requests being acknowledged every hour from the laptop and the NAS.

PS: Just checked the defaults for the DHCP server, it's left to default which states 7200s, so there's a typo under Services: DHCP server, The default is 7200 seconds. (should be 3600)


Confused and hoping for enlightment
T'Gellan
« Reply #1 on: April 30, 2008, 08:24:58 »
Manuel Kasper
Administrator
*****
Posts: 364

This should explain the behavior that you are seeing:

http://doc.m0n0.ch/handbook/faq-legit-traffic-dropped.html
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines