[ previous ] [ next ] [ threads ]
 
 From:  Joe Lagreca <lagreca at gmail dot com>
 To:  "James W. McKeand" <james at mckeand dot biz>
 Cc:  Monowall List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] rule functionality clarification
 Date:  Sat, 20 Nov 2004 10:26:25 -0800
Thank you all for pointing out the obvious to me.  It makes perfect
sense now, not to specify the source port, as it could be anything.

Sometimes I even amaze myself at how stupid I can be.  

Thanks for all your help, its GREATLY appreciated!

Joe
Halogen8


On Sat, 20 Nov 2004 08:05:52 -0500, James W. McKeand <james at mckeand dot biz> wrote:
> This can be done with two rules.
> 
> First create the rule to allow traffic to SMTP on LAN. The only thing
> wrong with the rule you have below is that source port should be any,
> not 25. Your Linux box is listening on 25 the clients talking to it
> are using a random port. I don't do this with my SMTP, but I do with
> NTP (port 123)
> 
> Then, to allow access from OPT1 to Internet create the following rule:
> 
> Action:  Pass
> Interface:  OPT1
> Protocol:  any
> Source:  OPT1 subnet
> Source port range  from:  any to:  any
> Destination:  not (check the box) LAN subnet
> Destination port range  from:  any to:  any
> Description:  Default OPT1 -> Any (not LAN)
> 
> This should be the last rule in the OPT1 list.
> 
> _________________________________
> James W. McKeand
> 
> 
> 
> 
> -----Original Message-----
> From: Bryan Brayton [mailto:bryan at sonicburst dot net]
> Sent: Friday, November 19, 2004 11:14 PM
> To: Joe Lagreca; Monowall List
> Subject: RE: [m0n0wall] rule functionality clarification
> 
> Joe, in your "blocks access from OPT1 to LAN" rule, have you tried
> changing the source from * to Opt1 Net?
> 
> -Bryan
> 
> > -----Original Message-----
> > From: Joe Lagreca [mailto:lagreca at gmail dot com]
> > Sent: Friday, November 19, 2004 10:51 PM
> > To: Monowall List
> > Subject: [m0n0wall] rule functionality clarification
> >
> > I've got what should be a simple problem, but I can't seem to
> > understand how m0n0 handles rules to get it accomplished.
> >
> > SITUATION:  My office is on interface LAN.  My clients are on
> > interface OPT1.  I don't want my clients getting into LAN.  However
> > they need to use my SMTP server which is on LAN.
> >
> > IMPLEMENTATION:
> >
> > LAN interface rules:
> > Proto         Source          Port    Destination     Port
> >       Description
> >
> ----------------------------------------------------------------------
> --
> --
> > --------------------------------------------------------------
> >  *       LAN net        *         *                    *
> > Default LAN -> any
> >
> > OPT1 interface rules:
> > Proto         Source          Port            Destination      Port
> > Description
> >
> ----------------------------------------------------------------------
> --
> --
> > --------------------------------------------------------------
> > TCP   OPT1 net      25 (SMTP)  192.168.1.50    25 (SMTP)      OPT1
> > SMTP
> > -> LAN linux box
> >
> > *        *                   *                 LAN net          *
> >  blocks access from OPT1 to LAN
> >
> >  *       OPT1 net      *                 *                     *
> > Allows internet access for OPT1
> >
> > PROBLEM:  If I enable the 2nd OPT1 rule which, is a block rule, it
> > blocks all traffic to LAN, even the rule above it to allow SMTP
> > traffic to pass.  I thought m0n0wall processed rules from the top
> > down, giving rules on top priority.
> >
> > I need to find some way to block OPT1 users from accessing LAN,
> except
> > for SMTP, but allow them Internet access via WAN.  Any help/ideas
> > would be GREATLY appreciated.  Thanks.
> >
> > Joe
> > Halogen8
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> ________________________________
> 
> avast! Antivirus <http://www.avast.com> : Outbound message clean.
> 
> Virus Database (VPS): 0447-1, 11/19/2004
> Tested on: 11/19/2004 11:13:51 PM
> avast! - copyright (c) 2000-2004 ALWIL Software.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>