[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Frederick Page <fpage at thebetteros dot oche dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Confirmed: bug in firewall on OPT1
 Date:  Sat, 18 Dec 2004 10:42:05 +0100
On 17.12.2004 23:27 +0100, Frederick Page wrote:

> However as I said: on the LAN-interface everything works as
> expected: changing the last "pass" rule to "destination not OPT1"
> prevents any traffic to OPT1. It just doesn't work the other way
> round: prevent traffic from OPT1 to LAN.

Why on earth do you have a static route for with
gateway on your *OPT1* interface? Not only does that
not make any sense, it's the source of your problem as well. That
static route tells m0n0wall to let traffic between and pass unconditionally, since it assumes that both are
on the same interface (OPT1). Remove it, and life should be better
for you.

Lesson learned: don't use the words "confirmed" and "bug" unless
you're really really sure you did everything right...

Now, I've learned a lesson too. This automatic implicit routing
feature will be made optional, with default to disabled, in the very
next release. It wasn't my idea, I didn't like it that much anyway
(even though it's needed in some complicated setups), and it's too
easy for a user to do something stupid with the static routing and
end up with filter rules that don't do what (s)he wants them to.

- Manuel