Coming from the Checkpoint world, I would vote to only have a single page
for all the rules. I think that once you get past a few interfaces, having
per-interface rule-sets just adds to the complication of the overall
rulebase, as you loose visibility of the overall rulebase.
For my own purposes, I did have a little play at making a version of
m0n0wall that did just this - it just created matching in and out rules on
each interface for each entry in the rulebase. I never did any extensive
security testing on the result but it worked as expected in a virtual
envirment. Any concerns that packets could come in and exit on invalid
interfaces are dealt with by the anti-spoofing rules that are already
generated in the underlying ruleset in the current m0n0wall.
----- Original Message -----
From: "Tonix (Antonio Nati)" <tonix at interazioni dot it>
To: "Paul Taylor" <PaulTaylor at winn dash dixie dot com>
Cc: <m0n0wall dash dev at lists dot m0n0 dot ch>
Sent: Wednesday, February 06, 2008 5:44 PM
Subject: Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
> Paul Taylor ha scritto:
>> I think what Falcor was trying to say was that Monowall handles
>> inbound and outbound rules in terms of the entire box, not the
>> individual interface.
>> Perhaps there is an easier way to do what you are looking to
>> do... Let's look at your example again
>>> Please set up this filter with the minimum rules possible. This is a
>>> very simple network, so it is not a personal case.
>>> Interface A: sub-net, no NAT
>>> Interface B: sub-net, no NAT
>>> Interface C: sub-net, no NAT
>>> Interface D, sub-net, no NAT
>>> Interface E, sub-net, no NAT
>>> None can access sub-lans in A,B,C,D.
>>> Anyone can access any port 80 in interface E.
>> Let's say there is one more interface, WAN. To make it more realistic,
>> lets give some IP Addresses to there subnets.
>> A: 192.168.100.0/24
>> B: 192.168.101.0/24
>> C: 192.168.102.0/24
>> D: 192.168.103.0/24
>> E: 192.168.104.0/24
>> To do what you want in this scenario:
>> Rule #1 on A: Permit dst net 192.168.104.0/24 dst port 80
>> Rule #2 on A: Deny dst net 192.168.0.0/16 dst protocol any
>> Rule #3 on A: Permit any to any
>> Repeat those rules on B, C, and D and I think that does it. (Interface
>> E would not need any rules if it is only supposed to reply to devices
>> that started talking to it.) All devices on each subnet would be able
>> to reach the Internet and web servers on Interface E, but not every
>> other subnet.
> With a check on outbound connections, you need only one rule on the
> outgoing interface, instead of the whole set for each incoming interface.
>> What you are asking for is a major change in the way Monowall works
>> today. Monowall is a stateful firewall, so it tracks all of the
>> outbound traffic and lets replies to that traffic come back in. Having
>> the ability to set rules as both inbound and outbound would (I believe)
>> add a major layer of complexity.
> As far as I understand ipfilter can keep trace of the state also on
> outgoing connections.
> I ask to examine the possibility of changing the "default" logic, I feel
> it is something could be easily added.
> If you simply add the possibility of "reverting" the direction, all
> masks remain the same.
> More, if you accept to change some GUI, having only one page for rules
> would permit to have both incoming and outgoing rules, so you can
> simplify a lot complex situations:
> Suppose you have WAN (usual), DMZ (some services opened for all), LAN1
> (open to LAN2), LAN2 (open to LAN1), LAN3 (close to all)
> * deny any_prot incoming from any to private port any on WAN
> * deny any_prot outgoing from private to any port any on WAN
> * allow tcp outgoing from any to x.x.x.x port 80 on DMZ
> * allow tcp outgoing from any to y.y.y.y port 110 on DMZ
> * allow tcp outgoing from any to y.y.y.y port 25 on DMZ
> * allow tcp outgoing from y.y.y.y to any port 25 on WAN
> * allow tcp outgoing from any to 192.168.1.10 port 80 on LAN1
> * allow any_prot incoming from 192.168.1.0/24 to 192.168.2.0/24 port
> any on LAN1
> * allow any_prot incoming from 192.168.2.0/24 to 192.168.1.0/24 port
> any on LAN2
> How many rules you should write in order to have the same result with
> the actual monowall architecture, inside five different rules pages?
> Inter@zioni Interazioni di Antonio Nati
> http://www.interazioni.it tonix at interazioni dot it