[ previous ] [ next ] [ threads ]
 
 From:  Jan Normann Nielsen <lists at dubbekarl dot dk>
 To:  Dave Warren <maillist at devilsplayground dot net>
 Cc:  Graham Dunn <gdunn at inscriber dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Dropping NAT'ed connections or banning traffic through m0n0wall
 Date:  Thu, 28 Oct 2004 13:30:04 +0200
Dave Warren wrote:

>>>>    2. Ban all traffic from a LAN IP address for a certain amount of 
>>>> time.
>>>>     
>>>
>> Can I ask why you want #1? If you do #2 properly, the net result is 
>> that no more traffic will be passed and the sessions will eventually 
>> time out.
>>
>> Anyways, see http://www.phildev.net/ipf/IPFques.html#26 for the 
>> answer to #1.
>>
>> The simplest case for #2:
>>
>> In exec.php, you would do
>>
>> echo "@2 block in quick on LANINTERFACE from x.x.x.x/32 to any" | ipf 
>> -f -
>>
>> If you have complicated firewall rules, you'll need to figure out 
>> where the rule should go and with which group (if any). 
>
>    1. Drop all of the firewall's NAT'ed connections for a certan LAN IP.
> Since m0n0wall's rules are stateful, accomplishing #2 without #1 
> wouldn't be a complete solution -- Any already-established connection 
> would be allowed to continue.

And since #1 cannot be done with ipf, this all this is impossible to do.

Best regards,
Jan Nielsen