m0n0wall is a router/firewall distribution based on FreeBSD. It is designed to run on both the embedded computers made by soekris and PC Engines. The configuration is all stored in PHP, and boots off a CDROM, HDD or CF card.
Well, after doing other things for a while, I found out what caused my weirdness with m0n0wall 1.0 Because I had my linux box acting as firewall and server, the firewall script assumed that only local IPs would come in eth0, and only non-private IPs would be coming in on eth1. Reasonable.... but when I put the m0n0wall box in front, all traffic started arriving at the linux box eth0, which was set to drop anything not from 10.27.0.0/24
Here's some pictures of my m0n0wall box, as requested.
Pictures are out of date - the socket 370 board shown was 99% okay, but that 1% dodgyness didn't help. So now the hardware is a PII at 266 MHz with 192 Mb ram. There are three 3com PCI NICs, a single ISA 3com NIC for the WAN side, and a wireless PCMCIA card.
Made some good progress thanks to the list and #wlug on undernet and #m0n0wall on freenet.
I have changed some things - here's the updated screen shots...Firewall: NAT
This is what I get if I nmap and ping from the internet side of m0n0wall...
socks:~# ping criggie.dyndns.org PING criggie.dyndns.org (220.127.116.11): 56 data bytes 64 bytes from 18.104.22.168: icmp_seq=0 ttl=62 time=20.2 ms 64 bytes from 22.214.171.124: icmp_seq=1 ttl=62 time=22.8 ms 64 bytes from 126.96.36.199: icmp_seq=2 ttl=62 time=22.7 ms --- criggie.dyndns.org ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 20.2/21.9/22.8 ms socks:~# nmap -O criggie.dyndns.org Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-26 13:13 NZST Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1659 scanned ports on criggie.dyndns.org (188.8.131.52) are: filtered Too many fingerprints match this host to give specific OS details Nmap run completed -- 1 IP address (1 host up) scanned in 84.605 seconds
Fred Wright suggested running tcpdump on the internal linux box, which shows traffic as expected. Therefore my m0n0wall box is NATting traffic in from the WAN to the LAN. However the client out in the internet never sees anything back. Here's the output from tcpdump when I try to get http://criggie.dyndns.org/ from my work.
12:41:15.172461 smtp.avonside.school.nz.2110 > caffeine.criggie.dyndns.org.www: S 2844394660:2844394660(0) win 5840
(DF) [tos 0x10] 12:41:18.165858 smtp.avonside.school.nz.2110 > caffeine.criggie.dyndns.org.www: S 2844394660:2844394660(0) win 5840 (DF) [tos 0x10]
Gidday all. I'm new to m0n0wall, and have it working fine in every respect but one.
I have a web server at 10.27.1.2, which I want the world to access from http://criggie.dyndns.org/ 184.108.40.206
I have a NAT line that says:Firewall: NAT
I have a firewall rule that was automatically created when I added the above NAT line.Firewall: Rules
Now, the truly strange thing is that from an internal IP I can connect to port 80 on 220.127.116.11. I can't connect to port 80 from any real-world IPs
So I added some logging... I now see this in the logs when attempting to connect to port 80 from work (18.104.22.168)
00:22:27.902608 xl1 @200:1 p 22.214.171.124,2066 -> 10.27.1.2,80 PR tcp len 20 60 -S K-S OUT 00:22:27.902566 xl0 @200:1 p 126.96.36.199,2066 -> 10.27.1.2,80 PR tcp len 20 60 -S K-S INDiagnostics System Logs
I can't see where I'm going wrong... Its not obvious where the problem lies at all.
Possibly related - I can ping my firewall from the LAN but not the WAN side... Is this correct? ANSWER no, you need to allow ICMP if you want to ping the firewall. This can be done separately for each interface. After testing is complete you might want to disable WAN ICMP responses, but then again maybe not.
Here's three more screen captures:Interfaces LAN
This file last modified Wednesday May 31, 2006
If you find something here useful, feel free to donate bitcoin: Donations address: 14LHst9s1UEh8NMem87qaEd9tJWSCiNt1x.