[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  Monowall Develop <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] why only 'IN' firewall rules?
 Date:  Thu, 31 Mar 2005 15:06:34 -0500 
On Thu, 31 Mar 2005 21:34:59 +0200, marijan <mjakara at xnet dot hr> wrote:
> 
> In this case I must block all host (existing or not existing) on all
> interfaces (four). 

No you don't.  This is very easy.  On each LAN interface permit all
only to the subnets of the other LAN's and permit the hosts you want
to get to the internet to get to anything and let everything else hit
the default deny.  I don't see where out rules would be beneficial at
all.

It's a lot cleaner to only maintain rules in one direction, and there
isn't any situation that can't be addressed this way.

-Chris