[ previous ] [ next ] [ threads ]
 
 From:  "marijan" <mjakara at xnet dot hr>
 To:  "'Monowall Develop'" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  FW: [m0n0wall-dev] why only 'IN' firewall rules?
 Date:  Thu, 31 Mar 2005 22:58:05 +0200
I got situation something like this.

		   Internet (WAN)
			|
	_____	(my router) _____         ______
router_______router______LAN9
LAN1		  |	   |          LAN2		|
|
		  |	   |			|		|
		LAN3	LAN4		        LAN8	        LAN10
		  |	   
		  |	   
LAN5	______	router____LAN6	
		 |	
		 |	
		LAN7



On LAN1 - 8 internet users
On LAN2 - 6 internet users
On LAN3 - 4 internet users
On LAN4 - 1 internet user
On LAN5 - 5 internet users
On LAN6 - no users
On LAN7 - 3 Internet users
On LAN8 - 2 Internet users
On LAN9 - no internet users
On LAN10 - 4 internet users




If I only use IN filtering I must:

On LAN1 interface:
	permit from 'all' to 'LAN2' subnet
	permit from 'all' to 'LAN3' subnet
	permit from 'all' to 'LAN4' subnet
	permit from 'all' to 'LAN5' subnet
	permit from 'all' to 'LAN6' subnet
	permit from 'all' to 'LAN7' subnet
	permit from 'all' to 'LAN8' subnet
	permit from 'all' to 'LAN9' subnet
	permit from 'all' to 'LAN10' subnet
	permit from 'user1' to 'all"
	permit from 'user2' to 'all"
	permit from 'user3' to 'all"
	permit from 'user4' to 'all"
	permit from 'user5' to 'all"
	permit from 'user6' to 'all"
	permit from 'user7' to 'all"
	permit from 'user8' to 'all"

On LAN2 interface:
	permit from all to 'LAN1' subnet
	permit from all to 'LAN3' subnet
	permit from all to 'LAN4' subnet
	permit from all to 'LAN5' subnet
	permit from all to 'LAN6' subnet
	permit from all to 'LAN7' subnet
	permit from all to 'LAN8' subnet
	permit from all to 'LAN9' subnet
	permit from all to 'LAN10' subnet
	permit from 'user1' to 'all"
	permit from 'user2' to 'all"
	permit from 'user3' to 'all"
	permit from 'user4' to 'all"
	permit from 'user5' to 'all"
	permit from 'user6' to 'all"

And so on...

An if new network was added on router, I must recofigure and permit this
subnet to all others..
And if I check allways is there a some new network..

This is too confused configurations...

With 'out' filtering I can permit only users witch I want to go to
Internet and set this konfiguration on only one interface.
Any new added network can access all other LAN networks without need to
change configurations, but they cannot go out to WAN interface if I
didn't set permit for that new users on new network.





-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Thursday, March 31, 2005 10:07 PM
Cc: Monowall Develop
Subject: Re: [m0n0wall-dev] why only 'IN' firewall rules?


On Thu, 31 Mar 2005 21:34:59 +0200, marijan <mjakara at xnet dot hr> wrote:
> 
> In this case I must block all host (existing or not existing) on all
> interfaces (four).

No you don't.  This is very easy.  On each LAN interface permit all only
to the subnets of the other LAN's and permit the hosts you want to get
to the internet to get to anything and let everything else hit the
default deny.  I don't see where out rules would be beneficial at all.

It's a lot cleaner to only maintain rules in one direction, and there
isn't any situation that can't be addressed this way.

-Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch