[ previous ] [ next ] [ threads ]
 From:  "marijan" <mjakara at xnet dot hr>
 To:  "'Monowall Develop'" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] why only 'IN' firewall rules?
 Date:  Thu, 31 Mar 2005 21:34:59 +0200
This is not right way..
In this case I must block all host (existing or not existing) on all
interfaces (four). If I had another router on some interface, and that
router is connected to other router..  well, I must block again all host
on subnets on other routers.. 
When new subnet is created on other routers, I must block again all
hosts on that subnets and check all the time all changes on other

One 'out' filtering will be solve all this mess..

-----Original Message-----
From: Scott Ullrich [mailto:sullrich at gmail dot com] 
Sent: Thursday, March 31, 2005 9:17 PM
To: marijan
Cc: Monowall Develop
Subject: Re: [m0n0wall-dev] why only 'IN' firewall rules?

On Thu, 31 Mar 2005 21:05:19 +0200, marijan <mjakara at xnet dot hr> wrote:
> Because I have 4 lan interfaces and have some users on all this 
> interfaces (subnets) and some users on other routered network and all 
> they going out to wan interface. I want let out only some computers 
> (users) and want to be able go to Internet while all other computers 
> not.

Allow the routed hosts to talk with an allow rule and then follow up
with blocking rules to keep the hosts that you wish not to allow to the

IE: Add some rules similar to:
   Proto  	Source  	        Port  	Destination  	   Port
A     *  	 *      *
routed subnet
D     *        *               *             
    *         Deny 2.24 to internet.

This will pass routed traffic between the subnets and then if the host
(2.24) wishes to talk to the internet they will be blocked.



To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch