Re: [m0n0wall] Bug Report: Inbound NAT automatic rule creation

From:	Manuel Kasper <mk at neon1 dot net>
To:	Dub Dublin <dub at infowave dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Bug Report: Inbound NAT automatic rule creation
Date:	Tue, 16 Nov 2004 19:38:53 +0100

On 16.11.2004 10:09 -0600, Dub Dublin wrote:

> Well, I've found a definite bug in m0n0wall itself, but working

No, you haven't (yet). ;)

>             <type>pass</type>  **NOTE THIS LINE IS MISSING IN ABOVE
> ENTRY**

This is for historical reasons. Before pb19, you could only define
pass rules, and any packet that didn't match a pass rule was blocked.
This is still the recommended way of writing filter rulesets (not
only with m0n0wall) - default-to-deny. Unfortunately, since the rule
language isn't 100% flexible, deny/block rules sometimes have to be
used to avoid having to create large numbers of similar pass rules.

For this reason, rules without a "type" are treated as pass rules,
and I can't see a problem with it. Again, if at all possible, use
pass rules only - any decent book on packet filtering will tell you
this.

> but the firewall will still not answer for the Inbound NAT services
> on the WAN port, even after this is fixed.

...which means your problem is somewhere else.

- Manuel