James W. McKeand schrieb am 17. December 2004:
>>Action: Pass, Interface: OPT1, Protocol: AH, Source: any,
>>Destination: NOT LAN subnet
>First reaction would be rule is not right...
I really experimented with all kinds of things: changed the OPT1 to
10.0.0.0/4 (to be much different from the 192.168.100.0/24 LAN).
I also created aliasses in "Firewall" and threw those in, I also
explictly blocked traffic to LAN by spelling it out as
Nothing worked so far, LAN can be successfully prevented to reach
OPT1, but vice versa seems to be impossible.
>Protocol: any (not AH - or was that a typo?)
>Source: OPT1 subnet (not any)
>Destination: NOT LAN subnet
Doesn't work either, I found out some more: as long as there is NO
rule on the OPT1 interface, traffic from OPT1 can go nowhere. The
second I put in ANY rule, LAN can be accessed from OPT1.
I put in this as the _only_ rule on OPT1:
Source: OPT1 subnet
Log packets that are handled by this rule
Now in theory, this should prevent ANY traffic to ANYWHERE and each
packet should be logged, right?
Wrong. Nothing is logged, with this one, single rule I can still "ping",
"net view" and "http://192.168.100.4" from OPT1. I can even FTP my
internal OpenBSD server from OPT1, aaaargh! However I must use
IP-addresses, DNS-resolution does not work.
>Second reaction - wasn't it working yesterday?
That was a mistake of mine: I had the Captive Portal activated, which
prevented any traffic. With Captive Portal deactivated: see above.
Kind regards Frederick