[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  h underscore reuver at mantell dot xs4all dot nl (Huub Reuver)
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Feature request: filtering on TCP SYN-packets
 Date:  Sun, 23 Nov 2003 10:06:30 +0100
On 23.11.2003, at 00:12, Huub Reuver wrote:

> For a simple filter one option seems to miss:
> http://coombs.anu.edu.au/~avalon/examples.html#tcpflags
> By adding "flags A/A" one can filter out "established" connections.
> More important, by adding "flags S/SA" one can filter out packets in
> the initial state of a connection.
> The simple application would be placing a server in the DMZ from which
> (almost all) SYN-packages for TCP-connections. This way all outgoing
> connections are blocked (or allowed for a few services) with only one
> rule.

I don't get your point. If you just want to deny outgoing traffic from 
a server on, say, your DMZ optional interface, then you just don't add 
any rules to permit traffic from it, and it's blocked by default. If 
you want to allow outgoing traffic on some specific ports, add pass 
rules for them, and they will be allowed, while the rest is still 

m0n0wall always uses stateful packet filtering, meaning that only the 
first packet of a new connection is checked against the ruleset. If it 
matches a pass rule, it is of course passed, and an entry is added to 
the state table that will later permit further packets (in both 
directions) belonging to that connection to pass through the filter 
without even checking the ruleset anymore.

m0n0wall also enforces that the first packet of a new TCP connection is 
a SYN packet in order to create a state table entry (that is, packets 
with TCP flags other than SYN (actually S/SAFR in ipfilter terms) that 
do not have an entry in the state table will be dropped).

I think that's about as much as you could possibly ask for. Stateful 
packet filtering, default to deny... all the good firewall practices. 

> Another issue, since I installed the router using Linux, is the 
> PHP-code
> open source? Maybe all it takes is to mount the image as a loop device
> if only I knew what filesystem is used. (I'd probably have to compile
> the appropriate filesystem modules anyway.)

Sure - read the m0n0wall Hackers Guide.

- Manuel