Firewall/NAT

Hi all

I recently upgraded to m0n0wall 1.33 on a Soekris 4801. I then set up some new firewall rules. However, it appears that the default block rule sets:

#--------------------------------------------------------------------------- # group head 100 - LAN interface #--------------------------------------------------------------------------- block in log quick on vr0 all head 100 # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on vr0 all keep state #--------------------------------------------------------------------------- # group head 200 - WAN interface #--------------------------------------------------------------------------- block in log quick on vr1 all head 200 # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on vr1 all keep state        #--------------------------------------------------------------------------- # group head 300 - opt1 interface #--------------------------------------------------------------------------- block in log quick on vr2 all head 300 # let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on vr2 all keep state # always pass outgoing IPsec encapsulated packets pass out quick on enc0 all keep state # make sure the user cannot lock himself out of the webGUI pass in quick from 10.10.1.0/24 to 10.10.1.1 keep state group 100

are being actioned ahead of the user-defined rules, which appear further down:

# User-defined rules follow pass in quick proto tcp from any to 10.10.1.100 port = 3000 keep state group 200

. This appear to be confirmed by the logs, which show the defult rule:

@40 block in log quick on vr1 all head 200

is being called instead of the user-defiend rule:

# Group 200 ... @3 pass in quick proto tcp from any to 10.10.1.100/32 port = 3000 keep state group 200 ...

as evidenced by the following log entries:

Dec 13 18:32:06 soekakl ipmon[118]: 18:32:05.094873 vr1 @0:40 b 118.208.146.229,58524 -> 119.224.138.169,3000 PR tcp len 20 52 -S IN Dec 13 18:32:06 soekakl ipmon[118]: 18:32:05.348124 vr1 @0:40 b 118.208.146.229,58526 -> 119.224.138.169,3000 PR tcp len 20 52 -S IN

Any ideas on how to get the default block rule to operate only if the user-defined rule is not met?
Thanks in advance
Regards
Mark
 

The rule order is fine; m0n0wall uses the head/group feature of ipfilter, which basically means that all rules in a given group are processed when the corresponding 'head' is hit, but the actual 'head' rule action is executed only if no group members match.

The reason why your packets don't match your firewall rule is because the destination address doesn't match (10.10.1.100 vs. 119.224.138.169), which looks like something's wrong with the NAT configuration.

Perhaps if you post your full anonymized config (or at least the NAT/firewall rule bits), we might be able to figure out what exactly is wrong...

Thanks Manuel

Once you pointed out that NAT was the problem, I immediately figured out why the rule was not being processed. I deleted the manually created rule and re-created the NAT rule and ticked the box for auto-firewall rules. Works fine now, thanks.

Regards
Mark