Weird firewall behavior



  • Hello,
    First thing I want is to thank all of you for the wonderful work done on 2.0
    I am implementing a new complex configuration at home based on 2.0, this scenario had not been tested with 1.2.3, I don't know if it's a bug or normal behavior.
    From this scenario, I will try to block packets from a host, it will seem illogical to do that but I repeat, it's only for pointing out the strange thing happening.

    Here is the topology (two pfs, one on home1, one on home2):

    |                                                                            |                                                        |
        Home1Wan (static ip)                                        Home2Wan1 (dynamic ip, proxy only)      Home2Wan2 (dynamic ip, default gw)
        OpenVPN Server (TCP)–-----------|Tun|--------------OpenVPN Client (TCP)

    Home1Lan:10.241.0.0/24
    Home2Lan:10.241.2.0/24

    On Home1, I have the following port forwarding rule which forwards all http traffic to 10.241.2.8 which is on home2, through the VPN tunnel.
    WAN1 TCP * * WAN1 address 80 (HTTP) 10.241.2.8 80 (HTTP)

    The requests are reaching 10.241.2.8, this can bee seen from the packet capture on Home2Lan:
    21:53:49.290180 IP 198.18.6.217.1395 > 10.241.2.8.80: tcp 0
    21:53:49.292333 IP 10.241.2.8.80 > 198.18.6.217.1395: tcp 0

    And also on the Home2Wan2 - which is default gateway (actually the packet will never make it back but that's not the point now):
    21:53:56.627710 IP 10.241.2.8.80 > 198.18.6.217.1395: tcp 0

    Now, I want to BLOCK 10.241.2.8 to respond to queries on port 80, so I added a firewall rule like this to block host on Home2Lan, and also log it:
    TCP 10.241.2.8 80 (HTTP) * * * none

    Doing capture again on Home2Wan2, nothing changed - host responds even if the fw says no:
    21:57:51.627710 IP 10.241.2.8.80 > 198.18.6.217.1396: tcp 0

    There is nothing in logs, as if the packet never arrived on Home2Lan interface.
    I have also removed all rules from Home2Lan interface, leaving default deny, nothing changed, host still respond. From the 10.241.2.8 local console, the rules are working (no access, everywhere)

    What I really want to accomplish is having a web server replying on two different IP's on different sites.
    What I had in mind is to mark packets in the forwarding firewall rule and route them back based on marking.
    Unfortunately, there is no way to identify the packet because it does not appear anywhere, I tried on all interfaces with logging rules, the packet can only be seen by traffic capture.

    Hope on a workaround or advice


Log in to reply