[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  Monowall Develop <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: FW: [m0n0wall-dev] why only 'IN' firewall rules?
 Date:  Thu, 31 Mar 2005 16:16:20 -0500
On Thu, 31 Mar 2005 22:58:05 +0200, marijan <mjakara at xnet dot hr> wrote:
> 
> 
> I got situation something like this.
> 
>                   Internet (WAN)
>                        |
>        _____   (my router) _____         ______
> router_______router______LAN9
> LAN1              |        |          LAN2              |
> |
>                  |        |                    |               |
>                LAN3    LAN4                    LAN8            LAN10
>                  |
>                  |
> LAN5    ______  router____LAN6
>                 |
>                 |
>                LAN7
> 
> On LAN1 - 8 internet users
> On LAN2 - 6 internet users
> On LAN3 - 4 internet users
> On LAN4 - 1 internet user
> On LAN5 - 5 internet users
> On LAN6 - no users
> On LAN7 - 3 Internet users
> On LAN8 - 2 Internet users
> On LAN9 - no internet users
> On LAN10 - 4 internet users
> 
> 
> If I only use IN filtering I must:
> 
> On LAN1 interface:
>        permit from 'all' to 'LAN2' subnet
>        permit from 'all' to 'LAN3' subnet
>        permit from 'all' to 'LAN4' subnet
>        permit from 'all' to 'LAN5' subnet
>        permit from 'all' to 'LAN6' subnet
>        permit from 'all' to 'LAN7' subnet
>        permit from 'all' to 'LAN8' subnet
>        permit from 'all' to 'LAN9' subnet
>        permit from 'all' to 'LAN10' subnet
>        permit from 'user1' to 'all"
>        permit from 'user2' to 'all"
>        permit from 'user3' to 'all"
>        permit from 'user4' to 'all"
>        permit from 'user5' to 'all"
>        permit from 'user6' to 'all"
>        permit from 'user7' to 'all"
>        permit from 'user8' to 'all"
> 
> On LAN2 interface:
>        permit from all to 'LAN1' subnet
>        permit from all to 'LAN3' subnet
>        permit from all to 'LAN4' subnet
>        permit from all to 'LAN5' subnet
>        permit from all to 'LAN6' subnet
>        permit from all to 'LAN7' subnet
>        permit from all to 'LAN8' subnet
>        permit from all to 'LAN9' subnet
>        permit from all to 'LAN10' subnet
>        permit from 'user1' to 'all"
>        permit from 'user2' to 'all"
>        permit from 'user3' to 'all"
>        permit from 'user4' to 'all"
>        permit from 'user5' to 'all"
>        permit from 'user6' to 'all"
> 

If you number your network appropriately per generally accepted best
practices, you'll be able to summarize LAN1-LAN10 with one CIDR mask,
and hence have one rule.  Which would even include subnets you don't
use yet, but are within the range you've planned to use in the future.
 If you can assign the internet users within another CIDR-summarizable
block on each subnet, then you only need two rules on each interface.

Out rules could make a situation like this very slightly easier, but
overall it has the potential to create huge problems, and complex
rulesets that become much more difficult to manage.

-Chris