[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] special icmp-rule
 Date:  Tue, 4 Jan 2005 09:18:12 -0500
Greg Smith wrote:
>> Action:  Block
>> Interface:  LAN (or OPTn)
>> Protocol:  ICMP
>> Source:  any
>> Destination:  any
>> Description:  Block LAN ICMP -> any
>> 
>> This rule needs to be before the "Pass LAN to Any" rule. You would
>> need a rule like that for each of your non-WAN interfaces (OPTn).

> Your rule seems to block LAN ICMP -> Internet but not Firewall ICMP
->
> Internet.  This is one of the simplifications of m0n0wall which is
not
> intuitive to those of us who have written our own rules directly in
> the past.

Then, change the Interface to WAN. If the m0n0wall is not going to
respond to ICMP packets (default behavior, AFAIK), how would it
produce outbound ICMP packets without user intervention? Block ICMP
from LAN (and/or OPTn) and you do not have ICMP leaving the firewall.

_________________________________
James W. McKeand