[ previous ] [ next ] [ threads ]
 From:  "Tonix (Antonio Nati)" <tonix at interazioni dot it>
 To:  daniele dot guazzoni at gcomm dot ch
 Cc:  Mono Dev List <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
 Date:  Thu, 07 Feb 2008 14:43:19 +0100
Daniele Guazzoni ha scritto:
> Exactly m0n0wall is a firewall !
> Filtering on outbound would appear as a simple operation but can be 
> also pretty dangerous on multiple interface setups.
> And on top of that your simpler outbound rules will carry to complex 
> inbound filters on all other interfaces...
> Let assume this scenario:
> - you want to allow LAN and DMZ to freely access the WAN except SMTP.
> - you therefore apply an outbound filter:
>     - deny any --> SMTP --> any
>     - permit any --> any
> - without other inbound rules on LAN and DMZ those two interfaces will 
> be unfiltered.

Where is the problem?
The default for any interface is: nothing can pass unless explicitely 
So, except any (but not SMTP) from (LAN + DMZ) to WAN, nothing else will 
be allowed to pass.

> Another issue is the mix of outbound and inbound rules on the same 
> interface.
> Doing this will make the statefull feature pretty complex or useless 
> as one filter will be forced to put "bypass" to the other to permit 
> statefull replies to go through.
> In which case you want that ? Implicit ? Only if not explicit denied ?
I think that "stateful" handling means full handling of directions.
A connection started as incoming has nothing to do with a a connection 
started as outgoing.
ipfilter handles states both for outgoing and incoming, so I hope this 
is not a problem.
> I'm working since many years as security engineer and although some 
> firewall allows to create outbound rules I don't suggest to use it.
There is no problem when some outbound rules are really for all. For 
example, when you enable a port inside a DMZ interface, that port will 
be usually available for all interfaces, so I don't see particular 
security risks applying an "outbound" rule over the DMZ interface.
If some particular address is excluded from accessing that service, put 
an explicit deny before in the rules list.

For "my cases", it would be absolutely great.
> If you want to simplify the management of m0n0wall I'm rather for the 
> implementation of objects (service, host and network groups) which 
> would be reusable along the rules and eventually an interface (CLI or 
> whatever shell) to be able to administer m0n0wall through 
> firewall-builder.
You could put in a dedicated page some rules that should be replicated 
for each interface (before any local rule for each interface), in this 
way you can make life more easy. But managing of separate pages would be 

> Daniele
> Imran K wrote:
>> Guys,
>> Monowall!!! ( wall stands for firewall doesn't it?) I am surprised 
>> that mono
>> rule creation can only be
>> done for inbound packets. *
>> *Boucers police who can come in and who needs to go out of a night 
>> club for
>> very good reasons.
>> *Unless I am missing something* tonix's needs are valid.
>> Can we have an option ( drop down ) after the interface that selects 
>> inbound
>> or outbound???
>> Why is there no option already?
>> Otherwise it would be nice if suggested a workaround for him. i.e. 
>> piping
>> all traffic destined for the server segmend through a vritual 
>> interface /
>> subnet to allow the use of inbound only rules on it only instead of 
>> all the
>> segments???
>> On Feb 5, 2008 10:36 PM, Tonix (Antonio Nati) <tonix at interazioni dot it> 
>> wrote:
>>> We are thinking how to extend/improve m0n0wall rules architecture.
>>> After an intense work done with rules, we finally realize we need
>>> something actual m0n0wall architecture cannot satisfy.
>>> Given our environment, with dozen of reserved VLAN and a few of servers
>>> VLAN, actual m0n0wall behaviour of applying rules to "incoming"
>>> interfaces forces us to apply same rules to dozens of VLAN, while rules
>>> eventually applied to "outgoing" interfaces could be a lot more easy to
>>> manage.
>>> Planning to put hands in code, we are thinking to add a system flag
>>> (enable rules on output interfaces) and change rules to outgoing
>>> interfaces if that flag is enabled.
>>> Obviouslly it would be better to have rules working both on "incoming
>>> interfaces" and "outgoing interfaces", but it looks not easy to make
>>> with ipfilter.
>>> Thanks for any comment/hint.
>>> Tonino
>>> -- 
>>> ------------------------------------------------------------
>>>        Inter@zioni            Interazioni di Antonio Nati
>>>   http://www.interazioni.it      tonix at interazioni dot it
>>> ------------------------------------------------------------
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch

        Inter@zioni            Interazioni di Antonio Nati 
   http://www.interazioni.it      tonix at interazioni dot it