Re: [m0n0wall] Embedded PC: 2 vs 3 Ethernet Ports

From:	Dave Warren <maillist at devilsplayground dot net>
To:	RP Smith <rpsmith at hotmail dot com>, "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] Embedded PC: 2 vs 3 Ethernet Ports
Date:	Fri, 29 Oct 2004 20:42:55 -0600

RP Smith wrote:

>>The "trusted" network can connect to the untrusted network,
>>but the untrusted network can't talk to the trusted network.
>>
>>    
>>
>What rules do you have to accomplish the above?  Also, if you VPN to the 
>m0n0wal, can you get to both networks thru the VPN?  If so, how do you make that  work?
>  
>
LAN has 192.168.0.0/24
OPT1 has 192.168.1.0/24

LAN has a normal "LAN --> ANY" rule.
OPT1 has a "If destination is not 192.168.0.0/24, allow all" rule.

I also have PPTP listening on m0n0wall, someone from OPT1 (or WAN) can 
PPTP into m0n0wall, the PPTP VPN can communicate with both LAN and OPT1.

Since the firewall rules are stateful, once LAN establishes a TCP 
connection to OPT1, the traffic is allowed to go both ways, but a OPT1 
machine can't establish a connection to LAN.

-- 
And sometimes I park, in handicapped spaces,
While handicapped people, make handicapped faces!
 -- Denis Leary