RE: [m0n0wall] unable to block LAN from OPT1

From:	"James W. McKeand" <james at mckeand dot biz>
To:	"'Frederick Page'" <fpage at thebetteros dot oche dot de>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] unable to block LAN from OPT1
Date:	Wed, 15 Dec 2004 17:52:51 -0500

Frederick Page wrote:
> Hallo fisch,
> 
> fisch schrieb am 15. December 2004:
> 
>>> LAN: block any protocol, source OPT1, destination any
>>>  "           "         , source network 192.168.101.0/24, to any
> 
>> check the order, rules are first match
> 
> I did, these are the first rules and no interface is bridged.
> 
> TIA  Frederick
> 
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

My recommendation is that I would start from scratch - i.e. "factory
default".

I would change the default LAN rule's destination from "any" to be
*NOT* "OPT1 Subnet":
Destination: Check the "not" and select "OPT1 Subnet"

Then add a rule for the OPT1 interface that allows from OPT1 subnet to
*NOT* "LAN Subnet": 
Action:  Pass
Interface:  OPT1 
Protocol:  any 
Source:  select "OPT1 Subnet" (leave "not" unchecked)
Source port range from:    any
                    to:    any
Destination:  Check the "not" and select "LAN Subnet"
Destination port range  from:    any
                          to:    any
Description: Default OPT1 -> Any (not LAN)

Then add in any rules that you environment requires. These two rules
need to be the final rules on the respective interfaces. 

These two rules logically state: Traffic on the LAN interface from the
LAN subnet is allowed to anywhere *BUT* the OPT1 subnet. And traffic
on the OPT1 interface from the OPT1 subnet is allowed to anywhere
*BUT* the LAN subnet.

_________________________________
James W. McKeand