[ previous ] [ next ] [ threads ]
 
 From:  h underscore reuver at mantell dot xs4all dot nl (Huub Reuver)
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Feature request: filtering on TCP SYN-packets
 Date:  Sun, 23 Nov 2003 00:12:58 +0100
Hello,
I just installed monowall on an Soekris net4501 and began testing.
The current setup is a simple form of WAN/LAN/DMZ. I was thinking 
of bridging the connections between WAN and DMZ. With advanced options
it should be possible to filter out unneccessary packets.

For a simple filter one option seems to miss:
http://coombs.anu.edu.au/~avalon/examples.html#tcpflags

By adding "flags A/A" one can filter out "established" connections.
More important, by adding "flags S/SA" one can filter out packets in 
the initial state of a connection.

The simple application would be placing a server in the DMZ from which
(almost all) SYN-packages for TCP-connections. This way all outgoing 
connections are blocked (or allowed for a few services) with only one 
rule.

Actually, this function seems so basic to me I was wondering if I haven't 
overlooked the option in some other form. I did not see it on the 
TODO-list either. (I did see the very nice filtering rule layout has 
only been added recently, thanks Jim.)


Another issue, since I installed the router using Linux, is the PHP-code
open source? Maybe all it takes is to mount the image as a loop device
if only I knew what filesystem is used. (I'd probably have to compile
the appropriate filesystem modules anyway.)

As I don't have a spare system right now installing FreeBSD-Release will 
take weeks a few weeks. And it should be possible to test the PHP-code
on a Linux system. I would not like to take the router down for each 
test anyway.

With regards,
Huub Reuver