[ previous ] [ next ] [ threads ]
 
 From:  "Tonix (Antonio Nati)" <tonix at interazioni dot it>
 To:  Paul Taylor <PaulTaylor at winn dash dixie dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
 Date:  Wed, 06 Feb 2008 18:44:04 +0100
Paul Taylor ha scritto:
> Tonix,
>
> 	I think what Falcor was trying to say was that Monowall handles
> inbound and outbound rules in terms of the entire box, not the
> individual interface.  
>
> 	Perhaps there is an easier way to do what you are looking to
> do...  Let's look at your example again
>
>   
>> Please set up this filter with the minimum rules possible. This is a 
>> very simple network, so it is not a personal case.
>>
>>    Interface A: sub-net, no NAT
>>    Interface B: sub-net, no NAT
>>    Interface C: sub-net, no NAT
>>    Interface D, sub-net, no NAT
>>    Interface E, sub-net, no NAT
>>     
>
>   
>> None can access sub-lans in A,B,C,D.
>> Anyone can access any port 80 in interface E.
>>     
>
> Let's say there is one more interface, WAN.  To make it more realistic,
> lets give some IP Addresses to there subnets.  
>
> A: 192.168.100.0/24
> B: 192.168.101.0/24
> C: 192.168.102.0/24
> D: 192.168.103.0/24
> E: 192.168.104.0/24
>
> To do what you want in this scenario:
> Rule #1 on A: Permit dst net 192.168.104.0/24 dst port 80
> Rule #2 on A: Deny dst net 192.168.0.0/16 dst protocol any
> Rule #3 on A: Permit any to any
>
> Repeat those rules on B, C, and D and I think that does it.  (Interface
> E would not need any rules if it is only supposed to reply to devices
> that started talking to it.)  All devices on each subnet would be able
> to reach the Internet and web servers on Interface E, but not every
> other subnet.
>   
With a check on outbound connections, you need only one rule on the 
outgoing interface, instead of the whole set for each incoming interface.
> What you are asking for is a major change in the way Monowall works
> today.  Monowall is a stateful firewall, so it tracks all of the
> outbound traffic and lets replies to that traffic come back in.  Having
> the ability to set rules as both inbound and outbound would (I believe)
> add a major layer of complexity.
>   
As far as I understand ipfilter can keep trace of the state also on 
outgoing connections.
I ask to examine the possibility of changing the "default" logic, I feel 
it is something could be easily added.

If you simply add the possibility of "reverting" the direction, all 
masks remain the same.

More, if you accept to change some GUI, having only one page for rules 
would permit to have both incoming and outgoing rules, so you can 
simplify a lot complex situations:

Suppose you have WAN (usual), DMZ (some services opened for all), LAN1 
(open to LAN2), LAN2 (open to LAN1), LAN3 (close to all)

    * deny any_prot incoming from any to private port any on WAN
    * deny any_prot outgoing from private to any port any on WAN
    * allow tcp outgoing from any to x.x.x.x port 80 on DMZ
    * allow tcp outgoing from any to y.y.y.y port 110 on DMZ
    * allow tcp outgoing from any to y.y.y.y port 25 on DMZ
    * allow tcp outgoing from y.y.y.y to any port 25 on WAN
    * allow tcp outgoing from any to 192.168.1.10 port 80 on LAN1
    * allow any_prot incoming from 192.168.1.0/24 to 192.168.2.0/24 port
      any on LAN1
    * allow any_prot incoming from 192.168.2.0/24 to 192.168.1.0/24 port
      any on LAN2

How many rules you should write in order to have the same result with 
the actual monowall architecture, inside five different rules pages?

Thanks,

Tonino
> Paul
>
>   


-- 
------------------------------------------------------------
        Inter@zioni            Interazioni di Antonio Nati 
   http://www.interazioni.it      tonix at interazioni dot it           
------------------------------------------------------------