On 23.11.2003, at 00:12, Huub Reuver wrote:
> For a simple filter one option seems to miss:
> By adding "flags A/A" one can filter out "established" connections.
> More important, by adding "flags S/SA" one can filter out packets in
> the initial state of a connection.
> The simple application would be placing a server in the DMZ from which
> (almost all) SYN-packages for TCP-connections. This way all outgoing
> connections are blocked (or allowed for a few services) with only one
I don't get your point. If you just want to deny outgoing traffic from
a server on, say, your DMZ optional interface, then you just don't add
any rules to permit traffic from it, and it's blocked by default. If
you want to allow outgoing traffic on some specific ports, add pass
rules for them, and they will be allowed, while the rest is still
m0n0wall always uses stateful packet filtering, meaning that only the
first packet of a new connection is checked against the ruleset. If it
matches a pass rule, it is of course passed, and an entry is added to
the state table that will later permit further packets (in both
directions) belonging to that connection to pass through the filter
without even checking the ruleset anymore.
m0n0wall also enforces that the first packet of a new TCP connection is
a SYN packet in order to create a state table entry (that is, packets
with TCP flags other than SYN (actually S/SAFR in ipfilter terms) that
do not have an entry in the state table will be dropped).
I think that's about as much as you could possibly ask for. Stateful
packet filtering, default to deny... all the good firewall practices.
> Another issue, since I installed the router using Linux, is the
> open source? Maybe all it takes is to mount the image as a loop device
> if only I knew what filesystem is used. (I'd probably have to compile
> the appropriate filesystem modules anyway.)
Sure - read the m0n0wall Hackers Guide.