|
||||||||||
On 17.11.2004 12:12 +0100, Ivan Sie wrote: > ------------------------------------------------------------------- > ------------ > LAN interface > Proto Source Port Dest Port > BLOCK ICMP LAN net * * * (block all ICMP) > BLOCK TCP LAN net * * * (block all tcp) > ------------------------------------------------------------------- > ------------ > So, "ping 10.0.1.1" should not be possible from the LAN-side. There's an implicit default rule that allows connections from LAN to m0n0wall itself regardless of the filter rule set. If we didn't have that, this list would quickly get swamped with messages saying "help, I locked myself out of the webGUI by applying stupid filter rules!". As of 1.2b1, this feature can be disabled (System: Advanced: disable anti-lockout rule). I can't see why you should need to do that - if you've got the bad guys on the LAN side, you have bigger things to worry about. The anti-lockout rule doesn't apply to optional interfaces, so as long as you don't have any rules on OPT1 that allow them, all connections from OPT1 to m0n0wall itself will be blocked. > The rules are indeed contradicting (passing packets for port 3389 > on the WAN side, but refusing return packets from the LAN side). That won't work. m0n0wall does stateful packet filtering, which means that once a packet has been allowed by a filter rule, all packets in the other direction that correspond to the same connection are allowed, no matter what the ruleset says. This means that you can access OPT1 from LAN even though you don't have any rules for OPT1 (or only block rules). OPT1 hosts won't be able to make any connections of their own, though. - Manuel |