[ previous ] [ next ] [ threads ]
 
 From:  "Greg Smith" <gsmith59 at pacbell dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] special icmp-rule
 Date:  Mon, 03 Jan 2005 20:53:49 -0800

>> hello
>> 
>> i would like to setup the following ruleset, but it seems to be
>> impossible to create the second part with the gui:
>> 
>> 1. allow incoming icmp via wan
>> 2. drop outgoing icmp via wan
>> 
>> (source of idea: building internet firewalls, o`reilly)
>> is there any possibility to create?
>
>Inbound ICMP should be blocked automatically. And Outbound is simple.
>
>If you do not need to ping your router, WAN of m0n0, etc. rule that
>would read something like:
>
>Action:  Block
>Interface:  LAN (or OPTn)
>Protocol:  ICMP
>Source:  any
>Destination:  any
>Description:  Block LAN ICMP -> any  
>
>This rule needs to be before the "Pass LAN to Any" rule. You would
>need a rule like that for each of your non-WAN interfaces (OPTn). 
>
>If you need to ping a router or such, you would need to write the rule
>to be destination *not* network, then use the public subnet. You can
>accomplish the same by defining your public subnet in the Aliases
>(like PublicNet), then use the alias to write the rule.

I think that is similar to what he asked, although not necessarily the
same (his intent was not stated).

Your rule seems to block LAN ICMP -> Internet but not Firewall ICMP ->
Internet.  This is one of the simplifications of m0n0wall which is not
intuitive to those of us who have written our own rules directly in the
past.