[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
 Date:  Wed, 6 Feb 2008 18:14:23 -0000
Hello,

Coming from the Checkpoint world, I would vote to only have a single page 
for all the rules. I think that once you get past a few interfaces, having 
per-interface rule-sets just adds to the complication of the overall 
rulebase, as you loose visibility of the overall rulebase.

For my own purposes, I did have a little play at making a version of 
m0n0wall that did just this - it just created matching in and out rules on 
each interface for each entry in the rulebase. I never did any extensive 
security testing on the result but it worked as expected in a virtual 
envirment. Any concerns that packets could come in and exit on invalid 
interfaces are dealt with by the anti-spoofing rules that are already 
generated in the underlying ruleset in the current m0n0wall.

Kris.


----- Original Message ----- 
From: "Tonix (Antonio Nati)" <tonix at interazioni dot it>
To: "Paul Taylor" <PaulTaylor at winn dash dixie dot com>
Cc: <m0n0wall dash dev at lists dot m0n0 dot ch>
Sent: Wednesday, February 06, 2008 5:44 PM
Subject: Re: [m0n0wall-dev] Redesigning m0n0wall filter rules


> Paul Taylor ha scritto:
>> Tonix,
>>
>> I think what Falcor was trying to say was that Monowall handles
>> inbound and outbound rules in terms of the entire box, not the
>> individual interface.
>>
>> Perhaps there is an easier way to do what you are looking to
>> do...  Let's look at your example again
>>
>>
>>> Please set up this filter with the minimum rules possible. This is a
>>> very simple network, so it is not a personal case.
>>>
>>>    Interface A: sub-net, no NAT
>>>    Interface B: sub-net, no NAT
>>>    Interface C: sub-net, no NAT
>>>    Interface D, sub-net, no NAT
>>>    Interface E, sub-net, no NAT
>>>
>>
>>
>>> None can access sub-lans in A,B,C,D.
>>> Anyone can access any port 80 in interface E.
>>>
>>
>> Let's say there is one more interface, WAN.  To make it more realistic,
>> lets give some IP Addresses to there subnets.
>>
>> A: 192.168.100.0/24
>> B: 192.168.101.0/24
>> C: 192.168.102.0/24
>> D: 192.168.103.0/24
>> E: 192.168.104.0/24
>>
>> To do what you want in this scenario:
>> Rule #1 on A: Permit dst net 192.168.104.0/24 dst port 80
>> Rule #2 on A: Deny dst net 192.168.0.0/16 dst protocol any
>> Rule #3 on A: Permit any to any
>>
>> Repeat those rules on B, C, and D and I think that does it.  (Interface
>> E would not need any rules if it is only supposed to reply to devices
>> that started talking to it.)  All devices on each subnet would be able
>> to reach the Internet and web servers on Interface E, but not every
>> other subnet.
>>
> With a check on outbound connections, you need only one rule on the
> outgoing interface, instead of the whole set for each incoming interface.
>> What you are asking for is a major change in the way Monowall works
>> today.  Monowall is a stateful firewall, so it tracks all of the
>> outbound traffic and lets replies to that traffic come back in.  Having
>> the ability to set rules as both inbound and outbound would (I believe)
>> add a major layer of complexity.
>>
> As far as I understand ipfilter can keep trace of the state also on
> outgoing connections.
> I ask to examine the possibility of changing the "default" logic, I feel
> it is something could be easily added.
>
> If you simply add the possibility of "reverting" the direction, all
> masks remain the same.
>
> More, if you accept to change some GUI, having only one page for rules
> would permit to have both incoming and outgoing rules, so you can
> simplify a lot complex situations:
>
> Suppose you have WAN (usual), DMZ (some services opened for all), LAN1
> (open to LAN2), LAN2 (open to LAN1), LAN3 (close to all)
>
>    * deny any_prot incoming from any to private port any on WAN
>    * deny any_prot outgoing from private to any port any on WAN
>    * allow tcp outgoing from any to x.x.x.x port 80 on DMZ
>    * allow tcp outgoing from any to y.y.y.y port 110 on DMZ
>    * allow tcp outgoing from any to y.y.y.y port 25 on DMZ
>    * allow tcp outgoing from y.y.y.y to any port 25 on WAN
>    * allow tcp outgoing from any to 192.168.1.10 port 80 on LAN1
>    * allow any_prot incoming from 192.168.1.0/24 to 192.168.2.0/24 port
>      any on LAN1
>    * allow any_prot incoming from 192.168.2.0/24 to 192.168.1.0/24 port
>      any on LAN2
>
> How many rules you should write in order to have the same result with
> the actual monowall architecture, inside five different rules pages?
>
> Thanks,
>
> Tonino
>> Paul
>>
>>
>
>
> -- 
> ------------------------------------------------------------
>        Inter@zioni            Interazioni di Antonio Nati
>   http://www.interazioni.it      tonix at interazioni dot it
> ------------------------------------------------------------
>
>