[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Ivan Sie <i dot sie at masc dot nl>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Default rules on non-WAN-side too permissive?
 Date:  Wed, 17 Nov 2004 18:08:01 +0100
On 17.11.2004 12:12 +0100, Ivan Sie wrote:

> -------------------------------------------------------------------
> ------------
> LAN interface
> 	Proto		Source	Port	Dest	Port
> BLOCK	ICMP		LAN net	*	*	*		(block all ICMP)
> BLOCK	TCP		LAN net	*	*	*		(block all tcp)
> -------------------------------------------------------------------
> ------------
> So, "ping" should not be possible from the LAN-side.

There's an implicit default rule that allows connections from LAN to
m0n0wall itself regardless of the filter rule set. If we didn't have
that, this list would quickly get swamped with messages saying "help,
I locked myself out of the webGUI by applying stupid filter rules!".
As of 1.2b1, this feature can be disabled (System: Advanced: disable
anti-lockout rule).

I can't see why you should need to do that - if you've got the bad
guys on the LAN side, you have bigger things to worry about. The
anti-lockout rule doesn't apply to optional interfaces, so as long as
you don't have any rules on OPT1 that allow them, all connections
from OPT1 to m0n0wall itself will be blocked.

> The rules are indeed contradicting (passing packets for port 3389
> on the WAN side, but refusing return packets from the LAN side).

That won't work. m0n0wall does stateful packet filtering, which means
that once a packet has been allowed by a filter rule, all packets in
the other direction that correspond to the same connection are
allowed, no matter what the ruleset says.

This means that you can access OPT1 from LAN even though you don't
have any rules for OPT1 (or only block rules). OPT1 hosts won't be
able to make any connections of their own, though.

- Manuel