[ previous ] [ next ] [ threads ]
 
 From:  Ivan Sie <i dot sie at masc dot nl>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Default rules on non-WAN-side too permissive?
 Date:  Wed, 17 Nov 2004 12:12:31 +0100
When testing m0n0wall with multiple networks, I discovered that the default 
rules for non-WAN interfaces are somewhat permissive.

e.g.: 3 interfaces on m0n0wall:
		1. WAN	80.238.135.125 -> internet
		2. LAN	10.0.1.1 -> our office-LAN
		3. OPT1	10.0.2.1 -> our clients-LAN (other companies in the same building)

portscanning from LAN or OPT1 to 10.0.1.1/10.0.2.1 showed that the ports were 
closed, i.e. the packets where by default REJECTED, not BLOCKED.
on the WAN interface, packets are blocked by default (which is how it should be, 
IMHO).

What's even worse, if I set the rules explicitly to block traffic, it still is 
not blocked.

Two examples:

1.
-------------------------------------------------------------------------------
LAN interface
	Proto		Source	Port	Dest	Port
BLOCK	ICMP		LAN net	*	*	*		(block all ICMP)
BLOCK	TCP		LAN net	*	*	*		(block all tcp)
-------------------------------------------------------------------------------
So, "ping 10.0.1.1" should not be possible from the LAN-side.
Yet, I still get replies.
Also, telnetting to any port on 10.0.1.1 reveals that the ports are REJECTED, 
not BLOCKED.

2.
-------------------------------------------------------------------------------
WAN interface
	Proto		Source	Port	Dest		Port
PASS	TCP		*		*	LAN net	3389	(allow all remote desktop connections to the LAN)
LAN interface
	Proto		Source	Port	Dest		Port
BLOCK	TCP		LAN net	3389	*		*	(block all remote desktop connections)

Port 3389 is port-NATted to one of the servers on the LAN-net.
-------------------------------------------------------------------------------
The rules are indeed contradicting (passing packets for port 3389 on the WAN 
side, but refusing return packets from the LAN side). But you could set up such 
a rule to 'catch' all clients who try to connect to your Remote Desktop, without 
giving an answer back.

Any way, the LAN interface rule to block packets from the LAN seems to be ignored.

I really like the m0n0wall and find it very nice and simple, but I would really 
like to get what I ask the firewall to do.
Also, I would like to be able to see all 'hidden/default' rules. I'm more of a 
iptables-guy, but was attracted to m0n0wall's ease of use. Only problem is that 
m0n0wall's FreeBSD base makes it harder for me to understand the things I see 
when viewing http://m0n0wall/status.php.

Ivan Sie