[ previous ] [ next ] [ threads ]
 From:  Frederick Page <fpage at thebetteros dot oche dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Confirmed: bug in firewall on OPT1
 Date:  Fri, 17 Dec 2004 23:27:01 +0100
Hallo Manuel,

Manuel Kasper schrieb am 17. December 2004:

[no rule on OPT1 interface = no traffic. So far, so good]

>>Now I insert one single rule on OPT1:
>>Action: Pass, Interface: OPT1, Protocol: AH, Source: any,
>>Destination: NOT LAN subnet

>>After "apply" I can do this with client on OPT1:

>Sorry, can't reproduce here.


Since I saw some internal rules dealing with, I also
experimented and set the OPT1 interface to a net, same
results: traffic from OPT1 could reach LAN.

However as I said: on the LAN-interface everything works as expected:
changing the last "pass" rule to "destination not OPT1" prevents any
traffic to OPT1. It just doesn't work the other way round: prevent
traffic from OPT1 to LAN.

The following info might be helpful: I am on SDSL (synchronous DSL)
with 2mBit in each direction. My provider gave me a router and two
static IP-addresses: one for the provider's router (which is the
default gateway in m0n0wall) and another IP-address for m0n0wall.
Both addresses are on a /30 net (netmask

Regardless of the fact, that OPT1 can reach LAN, everything works
perfectly without any problems.

>Yes, please post your entire (anonymized) status.php.

Meanwhile I assigned "FUNK" as a symbolic name to OPT1, this is my
current config in which LAN is open to "FUNK", although it should be
not accessible to "FUNK".

By the way: thank you very much for your attention and the time to
read my mail. I'm a little ashamed to have to utilize your precious
time, but I really want my WLAN ("FUNK") to be unable to access LAN,
because I plan an intentionally open AP with Captive Portal (I came to
enjoy open WLANs when I'm away and want to do the same for others).

Kind regards Frederick