News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: ALL requests from one IP incorrectly blocked (allow rule not matched)
Pages: [1]
Topic: ALL requests from one IP incorrectly blocked (allow rule not matched)  (Read 1430 times)
« on: September 16, 2008, 08:50:02 »
linuxamp
Guest
I have servers running on my network behind Monowall.  All servers have their own global IP address using advanced outbound routing xxx.xxx.64.89/29.

I setup rules to allow all traffic to the necessary ports such as 80 on a few of these servers.  Most people can access the servers but connections to any service from my other ISP fail.  The firewall logs the blocked attempts as if no rules matched.

Here is the blocked access
Sep 16 15:05:25 monowall ipmon[91]: 15:05:25.266711 ng0 @0:6 b xxx.xxx.133.206,36854 -> xxx.xxx.64.90,443 PR tcp len 20 52 -S IN

Access to all services on all servers are blocked from this IP.

I have no block rules, just accept rules.
Here are the firewall rules from status.php:
Quote
@1 pass out quick on lo0 from any to any
@2 pass out quick on dc0 proto udp from xxx.xxx.64.89/32 port = 67 to any port = 68
@3 pass out quick on ng0 proto udp from any port = 68 to any port = 67
@4 pass out quick on dc0 from any to any keep state
@5 pass out quick on ng0 from any to any keep state
@6 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on dc0 proto udp from any port = 68 to 255.255.255.255/32 port = 67
@5 pass in quick on dc0 proto udp from any port = 68 to xxx.xxx.64.89/32 port = 67
@6 block in log quick on ng0 from xxx.0.0.0/8 to any
@7 block in log quick on ng0 proto udp from any port = 67 to xxx.0.0.0/8 port = 68
@8 pass in quick on ng0 proto udp from any port = 67 to any port = 68
@9 block in log quick on dc0 from !xxx.0.0.0/8 to any
@10 skip 1 in proto tcp from any to any flags S/FSRA
@11 block in log quick proto tcp from any to any
@12 block in log quick on dc0 from any to any head 100
@1 pass in quick from xxx.0.0.0/8 to xxx.xxx.64.89/32 keep state group 100
@2 pass in quick from xxx.0.0.0/8 to any keep state group 100
@13 block in log quick on ng0 from any to any head 200
@1 pass in quick proto tcp from any to xxx.xxx.64.92/32 port = 80 keep state group 200
@2 pass in quick proto tcp from any to xxx.xxx.64.92/32 port = 443 keep state group 200
@3 pass in quick proto tcp from any to xxx.xxx.64.92/32 port = xx keep state group 200
@4 pass in quick proto tcp from any to xxx.xxx.64.92/32 port = xx keep state group 200
@5 pass in quick proto tcp from any to xxx.xxx.64.92/32 port = xx keep state group 200
@6 pass in quick proto tcp from any to xxx.xxx.64.92/32 port = xx keep state group 200
@7 pass in quick proto udp from any to xxx.xxx.64.92/32 port xx >< xx keep state group 200
@8 pass in quick proto tcp from any to xxx.xxx.64.91/32 port = xx keep state group 200
@9 pass in quick proto tcp from any to xxx.xxx.64.91/32 port = 80 keep state group 200
@10 pass in quick proto tcp from any to xxx.xxx.64.91/32 port = xx keep state group 200
@11 pass in quick proto tcp from any to xxx.xxx.64.91/32 port = xx keep state group 200
@12 pass in quick proto tcp from any to xxx.xxx.64.91/32 port = 443 keep state group 200
@13 pass in quick proto tcp from any to xxx.xxx.64.91/32 port = xx keep state group 200
@14 pass in quick proto tcp from any to xxx.xxx.64.91/32 port = xx keep state group 200
@15 pass in quick proto udp from any to xxx.xxx.64.91/32 port xx >< xx keep state group 200
@16 pass in quick proto tcp from any to xxx.xxx.64.91/32 port = xx keep state group 200
@17 pass in quick proto tcp from any to xxx.xxx.64.90/32 port = xx keep state group 200
@18 pass in quick proto tcp from any to xxx.xxx.64.90/32 port = 443 keep state group 200
@19 pass in quick proto tcp from any to xxx.xxx.64.90/32 port = xx keep state group 200
@20 pass in quick proto tcp from any to xxx.xxx.64.90/32 port = xx keep state group 200
@21 pass in quick proto udp from any to xxx.xxx.64.90/32 port xx >< xx keep state group 200
@22 pass in quick proto udp from any to xxx.xxx.64.93/32 port xx >< xx keep state group 200
@23 pass in quick proto tcp from any to xxx.xxx.64.93/32 port = 80 keep state group 200
@24 pass in quick proto tcp from any to xxx.xxx.64.93/32 port = 443 keep state group 200
@25 pass in quick proto udp from any to xxx.xxx.64.93/32 port xx >< xx keep state group 200
@26 pass in quick proto tcp from any to xxx.xxx.64.93/32 port = xx keep state group 200
@27 pass in quick proto tcp from any to xxx.xxx.64.93/32 port = xx keep state group 200
@28 pass in quick proto icmp from any to xxx.0.0.0/8 icmp-type echo keep state group 200
@29 pass in quick from any to xxx.xxx.64.94/32 keep state group 200
@30 block in log first quick from any to any group 200
@14 block in log quick from any to any


I've already tried to allow fragmented packets but that did not make a difference.
I've tried monowall 1.233-1.235.
« Last Edit: September 16, 2008, 08:58:41 by linuxamp »
« Reply #1 on: September 16, 2008, 09:09:32 »
linuxamp
Guest
I found the problem.  It was a misconfiguration on my part.  I setup the LAN as /8 when it should have been /29.  The failed IP had the same first octet so the return route was not trying to use the gateway.

Doh!
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines