[ previous ] [ next ] [ threads ]
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  Mono Dev List <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
 Date:  Thu, 07 Feb 2008 01:39:42 +0100
Exactly m0n0wall is a firewall !
Filtering on outbound would appear as a simple operation but can be also pretty dangerous on
multiple interface setups.
And on top of that your simpler outbound rules will carry to complex inbound filters on all other

Let assume this scenario:
- you want to allow LAN and DMZ to freely access the WAN except SMTP.
- you therefore apply an outbound filter:
	- deny any --> SMTP --> any
	- permit any --> any
- without other inbound rules on LAN and DMZ those two interfaces will be unfiltered.

Another issue is the mix of outbound and inbound rules on the same interface.
Doing this will make the statefull feature pretty complex or useless as one filter will be forced to
put "bypass" to the other to permit statefull replies to go through.
In which case you want that ? Implicit ? Only if not explicit denied ?

I'm working since many years as security engineer and although some firewall allows to create
outbound rules I don't suggest to use it.

If you want to simplify the management of m0n0wall I'm rather for the implementation of objects
(service, host and network groups) which would be reusable along the rules and eventually an
interface (CLI or whatever shell) to be able to administer m0n0wall through firewall-builder.


Imran K wrote:
> Guys,
> Monowall!!! ( wall stands for firewall doesn't it?) I am surprised that mono
> rule creation can only be
> done for inbound packets. *
> *Boucers police who can come in and who needs to go out of a night club for
> very good reasons.
> *Unless I am missing something* tonix's needs are valid.
> Can we have an option ( drop down ) after the interface that selects inbound
> or outbound???
> Why is there no option already?
> Otherwise it would be nice if suggested a workaround for him. i.e. piping
> all traffic destined for the server segmend through a vritual interface /
> subnet to allow the use of inbound only rules on it only instead of all the
> segments???
> On Feb 5, 2008 10:36 PM, Tonix (Antonio Nati) <tonix at interazioni dot it> wrote:
>> We are thinking how to extend/improve m0n0wall rules architecture.
>> After an intense work done with rules, we finally realize we need
>> something actual m0n0wall architecture cannot satisfy.
>> Given our environment, with dozen of reserved VLAN and a few of servers
>> VLAN, actual m0n0wall behaviour of applying rules to "incoming"
>> interfaces forces us to apply same rules to dozens of VLAN, while rules
>> eventually applied to "outgoing" interfaces could be a lot more easy to
>> manage.
>> Planning to put hands in code, we are thinking to add a system flag
>> (enable rules on output interfaces) and change rules to outgoing
>> interfaces if that flag is enabled.
>> Obviouslly it would be better to have rules working both on "incoming
>> interfaces" and "outgoing interfaces", but it looks not easy to make
>> with ipfilter.
>> Thanks for any comment/hint.
>> Tonino
>> --
>> ------------------------------------------------------------
>>        Inter@zioni            Interazioni di Antonio Nati
>>   http://www.interazioni.it      tonix at interazioni dot it
>> ------------------------------------------------------------
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch



Daniele Guazzoni
Senior Network Engineer, CCNP, CCNA

Linux and AMD-x86_64 or do you still with Windows and Intel ?

This message has been scanned for viruses and
dangerous content by MailGate, and is
believed to be clean.