Firewall/NAT

Hi,

i set up some server nat rules. Most of them work fine. The last one (and the only udp rule i use) does not work.

Here is my setup:

Location B -- NAT-Router -- Internet -- Router -- DMZ -- m0n0wall -- Internal Network (Location A)
192.168.0.5                                                    1.2.3.4                      10.0.0.5


On location B there's a device (IP 192.168.0.5) trying to send UDP packets to DMZ address 1.2.3.4 which
is natted to 10.0.0.5 on the internal network in location A.

I set up proxy arp for 1.2.3.4, a server nat rule for udp port 30000 and checked the box "create firewall rule".

...
<rule>
  <external-address>1.2.3.4</external-address>
  <protocol>udp</protocol>
  <external-port>30000-30001</external-port>
  <target>10.0.0.5</target>
  <local-port>30000</local-port>
  <interface>wan</interface>
  <descr>test</descr>
  </rule>
...
<rule>
  <type>pass</type>
  <interface>wan</interface>
  <protocol>udp</protocol>
- <source>
  <any />
  </source>
- <destination>
  <address>10.0.0.5</address>
  <port>30000-30001</port>
  </destination>
  <descr>NAT test</descr>
  </rule>
...
<servernat>
  <ipaddr>1.2.3.4</ipaddr>
  <descr>DMZ_1234</descr>
  </servernat>
...

When i look into the logs the packets show like that:
 X  time  WAN 11.22.33.44, port 1234  10.0.0.5, port 30000  UDP
(where 11.22.33.44 is the dynamic ip of location B)

Why are these packets blocked? There's a rule allowing right that.

I have no blocking rules. If i put a rule at the bottom of my ruleset saying: allow any protocol, any source,
any destination the packets are blocked further on.

What am i doing wrong?


I would be happy if someone could give me a tip...


Regards

Matthias


Hi,

i've switched on raw logs and found lots of lines:
07:30:01.374562 bge1 @0:13 b 11.22.33.44,30000 -> 1.2.3.4,30000 PR udp len 20 38 IN bad

No one some hints? 

Regards

Matthias

If it helps you are not alone here.  My m0n0wall's default rule is overriding my user defined rules as well.  What version are you running, maybe we need to downgrade.
When I check my logs my rules state the traffic is being allowed through, then the very next log says it was blocked...evidentally by the default rule.  I am not even going out the WAN interface.  Such a letdown, m0n0wall used to be a great appliance, and still is I guess as long as you dont use it as a firewall...

What version are you both using? I've got a dozen UDP based rules and everything works fine on mine, never had it block anything that I told it to allow through, either inbound or outbound.

I fixed my issue,  it appears that if you route traffic through the same interface, eg with a static route from LAN1 to LAN1 then the m0n0wall ignores your custom rules and just uses the default ones.  If you go to general->advanced you can have the interface ignore this behavior, which should be off by default.  I would love to hear the M0n0wall groups explanation of why this not off by default.
If this is the case here then just disable the rule checking on local interfaces found in general->advanced.  Really dissapointed with the m0n0wall devs here on an otherwise phenominal product.

Quite simply, for security reasons. I can think of a dozen ways a hacker could abuse this. Stealth and thus unregulated sub intranet comes to mind. Many others to follow if you put your imagination to "why" 

Hi,

i use Version  1.3b15 and it dosn't work. If i put the same rule in a Version 1.232 it works. I don't know why...

Regards