|
||||||||
Hello, I just installed monowall on an Soekris net4501 and began testing. The current setup is a simple form of WAN/LAN/DMZ. I was thinking of bridging the connections between WAN and DMZ. With advanced options it should be possible to filter out unneccessary packets. For a simple filter one option seems to miss: http://coombs.anu.edu.au/~avalon/examples.html#tcpflags By adding "flags A/A" one can filter out "established" connections. More important, by adding "flags S/SA" one can filter out packets in the initial state of a connection. The simple application would be placing a server in the DMZ from which (almost all) SYN-packages for TCP-connections. This way all outgoing connections are blocked (or allowed for a few services) with only one rule. Actually, this function seems so basic to me I was wondering if I haven't overlooked the option in some other form. I did not see it on the TODO-list either. (I did see the very nice filtering rule layout has only been added recently, thanks Jim.) Another issue, since I installed the router using Linux, is the PHP-code open source? Maybe all it takes is to mount the image as a loop device if only I knew what filesystem is used. (I'd probably have to compile the appropriate filesystem modules anyway.) As I don't have a spare system right now installing FreeBSD-Release will take weeks a few weeks. And it should be possible to test the PHP-code on a Linux system. I would not like to take the router down for each test anyway. With regards, Huub Reuver |