RE: [m0n0wall] unable to block LAN from OPT1

From:	"James W. McKeand" <james at mckeand dot biz>
To:	"'Ulrik Lunddahl'" <ul at proconsult dot dk>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] unable to block LAN from OPT1
Date:	Thu, 16 Dec 2004 09:13:51 -0500
Ulrik Lunddahl wrote:
> James W. McKeand wrote:
> 
>> These two rules logically state: Traffic on the LAN interface from
>> the LAN subnet is allowed to anywhere *BUT* the OPT1 subnet. And
>> traffic on the OPT1 interface from the OPT1 subnet is allowed to
>> anywhere *BUT* the LAN subnet. 
> 
> I have the exact same problem, but i have 2 OPT interfaces, so your
> solution does not work for me. 
> 
> You seem to be very good at this "logic of rulez", du you have a
> suggestion for how i should solve the problem, because my head is
> spinning and i have to read everyting 10 times to be sure it's
> secure.   
> 
> The system is PC based with 4 interfaces:
> 
> WAN with a /27 subnet.
> LAN with administrative hosts (ADMIN)
> OPT1 with hosts that do software development, project A (PROJA)
> OPT2 with hosts that do software development, project B (PROJB)
> 
> Everybody should have somwhat unlimited internet access, and no
> traffic between ADMIN, PROJA, PROJB is nessesary, they could in
teori
> have 3 seperate internet connections.  

My rules assume the default /24 subnet on both the LAN and OPT1
interface (WAN subnet not an issue). You could place each of the
project groups on adjacent /25 subnets. Then create an alias for the
parent /24 subnet. And write the rules based on the alias. The down
side you will be limiting the PROJ subnets to 126 IPs (125 available
after you assign one to m0n0wall).

On your Interfaces:
PROJA interface would be 192.168.1.1/25 (Network ID: 192.168.1.0)
PROJB interface would be 192.168.1.129/25 (Network ID: 192.168.1.128)
LAN(ADMIN) interface would be 192.168.0.1/24 (Network ID: 192.168.0.0)
*** Note: actual IPs you use is up to you, the adjacent subnets for
PROJ# and separate subnet for LAN are the keys. ***

On Firewall -> Aliases Add:
Name: PROJAB  
Type: Network  
Address: 192.168.1.0/24
Description:  Both PROJA and PROJB

On Firewall -> Rules -> Edit default LAN(ADMIN) rule:
Action:  Pass
Interface:  LAN 
Protocol:  any 
Source:  LAN subnet
Source port range  from:    any  
                     to:    any
Destination: Check "not" box
Type:    Single host or alias (change from "any")
Address: PROJAB (blue field means you can use alias)
Destination port range  from:  any
                          to:  any
Description: Default LAN -> Any (not PROJA or PROJB)

On Firewall -> Rules -> Add default PROJ# rules (one on each PROJ
interface):
Action:  Pass
Interface:  PROJ# 
Protocol:  any 
Source:  PROJ# subnet
Source port range  from:    any  
                     to:    any
Destination: Check "not" box
Type:    LAN Subnet
Destination port range  from:  any
                          to:  any
Description: Default PROJ# -> Any (not LAN)
*** Note: substitute A & B for "#" ***

If my assumption about the Alias is true. You could also go the other
direction and assign a /23 subnet to the network alias. Then you could
still use a /24 on the PROJ# subnets.

Good luck and have fun.

_________________________________
James W. McKeand