I got situation something like this.
Internet (WAN)
|
_____ (my router) _____ ______
router_______router______LAN9
LAN1 | | LAN2 |
|
| | | |
LAN3 LAN4 LAN8 LAN10
|
|
LAN5 ______ router____LAN6
|
|
LAN7
If I only use IN filtering I must:
On LAN1 interface:
permit from 'all' to 'LAN2' subnet
permit from 'all' to 'LAN3' subnet
permit from 'all' to 'LAN4' subnet
permit from 'all' to 'LAN5' subnet
permit from 'all' to 'LAN6' subnet
permit from 'all' to 'LAN7' subnet
permit from 'all' to 'LAN8' subnet
permit from 'all' to 'LAN9' subnet
permit from 'all' to 'LAN10' subnet
permit from 'user1' to 'WAN"
permit from 'user1' to 'WAN"
permit from 'user1' to 'WAN"
permit from 'user1' to 'WAN"
permit from 'user1' to 'WAN"
permit from 'user1' to 'WAN"
-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com]
Sent: Thursday, March 31, 2005 10:07 PM
Cc: Monowall Develop
Subject: Re: [m0n0wall-dev] why only 'IN' firewall rules?
On Thu, 31 Mar 2005 21:34:59 +0200, marijan <mjakara at xnet dot hr> wrote:
>
> In this case I must block all host (existing or not existing) on all
> interfaces (four).
No you don't. This is very easy. On each LAN interface permit all only
to the subnets of the other LAN's and permit the hosts you want to get
to the internet to get to anything and let everything else hit the
default deny. I don't see where out rules would be beneficial at all.
It's a lot cleaner to only maintain rules in one direction, and there
isn't any situation that can't be addressed this way.
-Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch | 