[ previous ] [ next ] [ threads ]
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] special icmp-rule
 Date:  Mon, 3 Jan 2005 09:24:23 -0500
Rolf Kühn wrote:
> hello
> i would like to setup the following ruleset, but it seems to be
> impossible to create the second part with the gui:
> 1. allow incoming icmp via wan
> 2. drop outgoing icmp via wan
> (source of idea: building internet firewalls, o`reilly)
> is there any possibility to create?

Inbound ICMP should be blocked automatically. And Outbound is simple.

If you do not need to ping your router, WAN of m0n0, etc. rule that
would read something like:

Action:  Block
Interface:  LAN (or OPTn)
Protocol:  ICMP
Source:  any
Destination:  any
Description:  Block LAN ICMP -> any  

This rule needs to be before the "Pass LAN to Any" rule. You would
need a rule like that for each of your non-WAN interfaces (OPTn). 

If you need to ping a router or such, you would need to write the rule
to be destination *not* network, then use the public subnet. You can
accomplish the same by defining your public subnet in the Aliases
(like PublicNet), then use the alias to write the rule.

James W. McKeand