[ previous ] [ next ] [ threads ]
 
 From:  "marijan" <mjakara at xnet dot hr>
 To:  "'Monowall Develop'" <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: FW: [m0n0wall-dev] why only 'IN' firewall rules?
 Date:  Fri, 1 Apr 2005 07:45:07 +0200
Ok, you pefere simplicity, but I prefere good firewall, not only 'IN'
filtering...

If check in FreeBSD ipf(8) filter utility, you will see that include
command like this 'block out quick on xxx from xxx to xxx' and monowall
use this utility to set filtering..

Why 'ipf' utility have 'out' rule?  Who need this?.. Programers of 'ipf'
was spend unnessary time for programing that. :)






-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Thursday, March 31, 2005 11:16 PM
Cc: Monowall Develop
Subject: Re: FW: [m0n0wall-dev] why only 'IN' firewall rules?


On Thu, 31 Mar 2005 22:58:05 +0200, marijan <mjakara at xnet dot hr> wrote:
> 
> 
> I got situation something like this.
> 
>                   Internet (WAN)
>                        |
>        _____   (my router) _____         ______
> router_______router______LAN9
> LAN1              |        |          LAN2              |
> |
>                  |        |                    |               |
>                LAN3    LAN4                    LAN8            LAN10
>                  |
>                  |
> LAN5    ______  router____LAN6
>                 |
>                 |
>                LAN7
> 
> On LAN1 - 8 internet users
> On LAN2 - 6 internet users
> On LAN3 - 4 internet users
> On LAN4 - 1 internet user
> On LAN5 - 5 internet users
> On LAN6 - no users
> On LAN7 - 3 Internet users
> On LAN8 - 2 Internet users
> On LAN9 - no internet users
> On LAN10 - 4 internet users
> 
> 
> If I only use IN filtering I must:
> 
> On LAN1 interface:
>        permit from 'all' to 'LAN2' subnet
>        permit from 'all' to 'LAN3' subnet
>        permit from 'all' to 'LAN4' subnet
>        permit from 'all' to 'LAN5' subnet
>        permit from 'all' to 'LAN6' subnet
>        permit from 'all' to 'LAN7' subnet
>        permit from 'all' to 'LAN8' subnet
>        permit from 'all' to 'LAN9' subnet
>        permit from 'all' to 'LAN10' subnet
>        permit from 'user1' to 'all"
>        permit from 'user2' to 'all"
>        permit from 'user3' to 'all"
>        permit from 'user4' to 'all"
>        permit from 'user5' to 'all"
>        permit from 'user6' to 'all"
>        permit from 'user7' to 'all"
>        permit from 'user8' to 'all"
> 
> On LAN2 interface:
>        permit from all to 'LAN1' subnet
>        permit from all to 'LAN3' subnet
>        permit from all to 'LAN4' subnet
>        permit from all to 'LAN5' subnet
>        permit from all to 'LAN6' subnet
>        permit from all to 'LAN7' subnet
>        permit from all to 'LAN8' subnet
>        permit from all to 'LAN9' subnet
>        permit from all to 'LAN10' subnet
>        permit from 'user1' to 'all"
>        permit from 'user2' to 'all"
>        permit from 'user3' to 'all"
>        permit from 'user4' to 'all"
>        permit from 'user5' to 'all"
>        permit from 'user6' to 'all"
> 

If you number your network appropriately per generally accepted best
practices, you'll be able to summarize LAN1-LAN10 with one CIDR mask,
and hence have one rule.  Which would even include subnets you don't use
yet, but are within the range you've planned to use in the future.  If
you can assign the internet users within another CIDR-summarizable block
on each subnet, then you only need two rules on each interface.

Out rules could make a situation like this very slightly easier, but
overall it has the potential to create huge problems, and complex
rulesets that become much more difficult to manage.

-Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch