[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Frederick Page <fpage at thebetteros dot oche dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Confirmed: bug in firewall on OPT1
 Date:  Sat, 18 Dec 2004 10:42:05 +0100 
On 17.12.2004 23:27 +0100, Frederick Page wrote:

> However as I said: on the LAN-interface everything works as
> expected: changing the last "pass" rule to "destination not OPT1"
> prevents any traffic to OPT1. It just doesn't work the other way
> round: prevent traffic from OPT1 to LAN.

Why on earth do you have a static route for 192.168.0.0/16 with
gateway 192.168.100.100 on your *OPT1* interface? Not only does that
not make any sense, it's the source of your problem as well. That
static route tells m0n0wall to let traffic between 192.168.0.0/16 and
192.168.101.0/24 pass unconditionally, since it assumes that both are
on the same interface (OPT1). Remove it, and life should be better
for you.

Lesson learned: don't use the words "confirmed" and "bug" unless
you're really really sure you did everything right...

Now, I've learned a lesson too. This automatic implicit routing
feature will be made optional, with default to disabled, in the very
next release. It wasn't my idea, I didn't like it that much anyway
(even though it's needed in some complicated setups), and it's too
easy for a user to do something stupid with the static routing and
end up with filter rules that don't do what (s)he wants them to.

- Manuel