criggie.org.nz

News Images MP3 Humour Email Us Webmail Links
Poem Debbie Criggie Daniel Luke Katherine Gladys
m0n0wall

m0n0wall is a router/firewall distribution based on FreeBSD. It is designed to run on both the embedded computers made by soekris and PC Engines. The configuration is all stored in PHP, and boots off a CDROM, HDD or CF card.


links

  • m0n0wall homepage
  • Tom's Hardware info and review on m0n0wall Part 1 and Part 2
  • Captive Portal review at TomsHardware
  • dmesg output from my working m0n0wall
  • pfSense homepage pfSense is a fork of m0n0wall, allowing package install and better traffic shaping. Requires more snot though.
  • pfSense developer's blog Worth watching periodically.
  • pfSense bug reports homepage

  • m0n0wall problem

    2004-09-12 Who's an iddjit?

    Well, after doing other things for a while, I found out what caused my weirdness with m0n0wall 1.0 Because I had my linux box acting as firewall and server, the firewall script assumed that only local IPs would come in eth0, and only non-private IPs would be coming in on eth1. Reasonable.... but when I put the m0n0wall box in front, all traffic started arriving at the linux box eth0, which was set to drop anything not from 10.27.0.0/24

    2004-05-28 10:34:14

    Here's some pictures of my m0n0wall box, as requested.


    Pictures are out of date - the socket 370 board shown was 99% okay, but that 1% dodgyness didn't help. So now the hardware is a PII at 266 MHz with 192 Mb ram. There are three 3com PCI NICs, a single ISA 3com NIC for the WAN side, and a wireless PCMCIA card.

    2004-05-26 13:15

    Made some good progress thanks to the list and #wlug on undernet and #m0n0wall on freenet.

    I have changed some things - here's the updated screen shots...

    Firewall NAT Firewall: NAT
    Firewall Firewall: NAT Outbound
    Firewall Firewall: Rules
    Firewall Firewall: Aliases

    This is what I get if I nmap and ping from the internet side of m0n0wall...

    socks:~# ping criggie.dyndns.org
    PING criggie.dyndns.org (202.0.42.116): 56 data bytes
    64 bytes from 202.0.42.116: icmp_seq=0 ttl=62 time=20.2 ms
    64 bytes from 202.0.42.116: icmp_seq=1 ttl=62 time=22.8 ms
    64 bytes from 202.0.42.116: icmp_seq=2 ttl=62 time=22.7 ms
    
    --- criggie.dyndns.org ping statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max = 20.2/21.9/22.8 ms
    
    socks:~# nmap -O criggie.dyndns.org
    
    Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-26 13:13 NZST
    Warning:  OS detection will be MUCH less reliable because we did not find at
    least 1 open and 1 closed TCP port
    All 1659 scanned ports on criggie.dyndns.org (202.0.42.116) are: filtered
    Too many fingerprints match this host to give specific OS details
    
    Nmap run completed -- 1 IP address (1 host up) scanned in 84.605 seconds
    

    Fred Wright suggested running tcpdump on the internal linux box, which shows traffic as expected. Therefore my m0n0wall box is NATting traffic in from the WAN to the LAN. However the client out in the internet never sees anything back. Here's the output from tcpdump when I try to get http://criggie.dyndns.org/ from my work.

    12:41:15.172461 smtp.avonside.school.nz.2110 > caffeine.criggie.dyndns.org.www: S 2844394660:2844394660(0) win 5840  (DF) [tos 0x10]
    12:41:18.165858 smtp.avonside.school.nz.2110 > caffeine.criggie.dyndns.org.www: S 2844394660:2844394660(0) win 5840  (DF) [tos 0x10]
    

    2004-05-26 01:00

    Gidday all. I'm new to m0n0wall, and have it working fine in every respect but one.

    I have a web server at 10.27.1.2, which I want the world to access from http://criggie.dyndns.org/ 202.0.42.116

    I have a NAT line that says:

    Firewall NAT Firewall: NAT

    I have a firewall rule that was automatically created when I added the above NAT line.

    Firewall Rules Firewall: Rules

    Now, the truly strange thing is that from an internal IP I can connect to port 80 on 202.0.42.116. I can't connect to port 80 from any real-world IPs

    So I added some logging... I now see this in the logs when attempting to connect to port 80 from work (202.0.37.196)

    00:22:27.902608 xl1 @200:1 p 202.0.37.196,2066 -> 10.27.1.2,80 PR tcp len 20 60 -S K-S OUT
    00:22:27.902566 xl0 @200:1 p 202.0.37.196,2066 -> 10.27.1.2,80 PR tcp len 20 60 -S K-S IN
    
    Diagnostics System Logs.PNG Diagnostics System Logs

    I can't see where I'm going wrong... Its not obvious where the problem lies at all.

    Possibly related - I can ping my firewall from the LAN but not the WAN side... Is this correct? ANSWER no, you need to allow ICMP if you want to ping the firewall. This can be done separately for each interface. After testing is complete you might want to disable WAN ICMP responses, but then again maybe not.

    Here's three more screen captures:

    Interfaces LAN Interfaces LAN
    Interfaces WAN Interfaces WAN
    Status InterfacesStatus Interfaces

    Google
     
    Web criggie.org.nz
    down with google ads!

    This file last modified Wednesday May 31, 2006
    Valid HTML 4.01!

    .