[ previous ] [ next ] [ threads ]
 
 From:  "Paul Taylor" <PaulTaylor at winn dash dixie dot com>
 To:  "Tonix (Antonio Nati)" <tonix at interazioni dot it>, "Falcor" <falcor at netassassin dot com>
 Cc:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] Redesigning m0n0wall filter rules
 Date:  Wed, 6 Feb 2008 11:28:32 -0500
Tonix,

	I think what Falcor was trying to say was that Monowall handles
inbound and outbound rules in terms of the entire box, not the
individual interface.  

	Perhaps there is an easier way to do what you are looking to
do...  Let's look at your example again

>Please set up this filter with the minimum rules possible. This is a 
>very simple network, so it is not a personal case.
>
>    Interface A: sub-net, no NAT
>    Interface B: sub-net, no NAT
>    Interface C: sub-net, no NAT
>    Interface D, sub-net, no NAT
>    Interface E, sub-net, no NAT

>None can access sub-lans in A,B,C,D.
>Anyone can access any port 80 in interface E.

Let's say there is one more interface, WAN.  To make it more realistic,
lets give some IP Addresses to there subnets.  

A: 192.168.100.0/24
B: 192.168.101.0/24
C: 192.168.102.0/24
D: 192.168.103.0/24
E: 192.168.104.0/24

To do what you want in this scenario:
Rule #1 on A: Permit dst net 192.168.104.0/24 dst port 80
Rule #2 on A: Deny dst net 192.168.0.0/16 dst protocol any
Rule #3 on A: Permit any to any

Repeat those rules on B, C, and D and I think that does it.  (Interface
E would not need any rules if it is only supposed to reply to devices
that started talking to it.)  All devices on each subnet would be able
to reach the Internet and web servers on Interface E, but not every
other subnet.

What you are asking for is a major change in the way Monowall works
today.  Monowall is a stateful firewall, so it tracks all of the
outbound traffic and lets replies to that traffic come back in.  Having
the ability to set rules as both inbound and outbound would (I believe)
add a major layer of complexity.

Paul