I think what Falcor was trying to say was that Monowall handles
inbound and outbound rules in terms of the entire box, not the
Perhaps there is an easier way to do what you are looking to
do... Let's look at your example again
>Please set up this filter with the minimum rules possible. This is a
>very simple network, so it is not a personal case.
> Interface A: sub-net, no NAT
> Interface B: sub-net, no NAT
> Interface C: sub-net, no NAT
> Interface D, sub-net, no NAT
> Interface E, sub-net, no NAT
>None can access sub-lans in A,B,C,D.
>Anyone can access any port 80 in interface E.
Let's say there is one more interface, WAN. To make it more realistic,
lets give some IP Addresses to there subnets.
To do what you want in this scenario:
Rule #1 on A: Permit dst net 192.168.104.0/24 dst port 80
Rule #2 on A: Deny dst net 192.168.0.0/16 dst protocol any
Rule #3 on A: Permit any to any
Repeat those rules on B, C, and D and I think that does it. (Interface
E would not need any rules if it is only supposed to reply to devices
that started talking to it.) All devices on each subnet would be able
to reach the Internet and web servers on Interface E, but not every
What you are asking for is a major change in the way Monowall works
today. Monowall is a stateful firewall, so it tracks all of the
outbound traffic and lets replies to that traffic come back in. Having
the ability to set rules as both inbound and outbound would (I believe)
add a major layer of complexity.