RE: [m0n0wall] rule functionality clarification

From:	"James W. McKeand" <james at mckeand dot biz>
To:	"'Monowall List'" <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] rule functionality clarification
Date:	Sat, 20 Nov 2004 08:05:52 -0500
This can be done with two rules.

First create the rule to allow traffic to SMTP on LAN. The only thing
wrong with the rule you have below is that source port should be any,
not 25. Your Linux box is listening on 25 the clients talking to it
are using a random port. I don't do this with my SMTP, but I do with
NTP (port 123)

Then, to allow access from OPT1 to Internet create the following rule:

Action:  Pass 
Interface:  OPT1 
Protocol:  any 
Source:  OPT1 subnet 
Source port range  from:  any to:  any
Destination:  not (check the box) LAN subnet
Destination port range  from:  any to:  any
Description:  Default OPT1 -> Any (not LAN)

This should be the last rule in the OPT1 list.

_________________________________
James W. McKeand

 
-----Original Message-----
From: Bryan Brayton [mailto:bryan at sonicburst dot net] 
Sent: Friday, November 19, 2004 11:14 PM
To: Joe Lagreca; Monowall List
Subject: RE: [m0n0wall] rule functionality clarification

Joe, in your "blocks access from OPT1 to LAN" rule, have you tried
changing the source from * to Opt1 Net? 

-Bryan

> -----Original Message-----
> From: Joe Lagreca [mailto:lagreca at gmail dot com]
> Sent: Friday, November 19, 2004 10:51 PM
> To: Monowall List
> Subject: [m0n0wall] rule functionality clarification
>
> I've got what should be a simple problem, but I can't seem to
> understand how m0n0 handles rules to get it accomplished.
>
> SITUATION:  My office is on interface LAN.  My clients are on
> interface OPT1.  I don't want my clients getting into LAN.  However
> they need to use my SMTP server which is on LAN.
>
> IMPLEMENTATION:
>
> LAN interface rules:
> Proto         Source          Port    Destination     Port
>       Description
>
----------------------------------------------------------------------
--
--
> --------------------------------------------------------------
>  *       LAN net        *         *                    *
> Default LAN -> any
>
> OPT1 interface rules:
> Proto         Source          Port            Destination      Port
> Description
>
----------------------------------------------------------------------
--
--
> --------------------------------------------------------------
> TCP   OPT1 net      25 (SMTP)  192.168.1.50    25 (SMTP)      OPT1
> SMTP
> -> LAN linux box
>
> *        *                   *                 LAN net          *
>  blocks access from OPT1 to LAN
>
>  *       OPT1 net      *                 *                     *
> Allows internet access for OPT1
>
> PROBLEM:  If I enable the 2nd OPT1 rule which, is a block rule, it
> blocks all traffic to LAN, even the rule above it to allow SMTP
> traffic to pass.  I thought m0n0wall processed rules from the top
> down, giving rules on top priority.
>
> I need to find some way to block OPT1 users from accessing LAN,
except
> for SMTP, but allow them Internet access via WAN.  Any help/ideas
> would be GREATLY appreciated.  Thanks.
>
> Joe
> Halogen8
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch





________________________________

avast! Antivirus <http://www.avast.com> : Outbound message clean. 

Virus Database (VPS): 0447-1, 11/19/2004
Tested on: 11/19/2004 11:13:51 PM
avast! - copyright (c) 2000-2004 ALWIL Software.



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch