[ previous ] [ next ] [ threads ]
 
 From:  "Jordan T." <jordan at blue dash ferret dot com dot au>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Firewall is not working
 Date:  Thu, 03 Feb 2005 23:57:11 +0800
On Thu, 2005-02-03 at 21:30, James W. McKeand wrote:
> Jordan T. wrote:
> > Hello list,
> > 
> > I have tried to search for this problem on the lists & documentation
> > bpages ut cannot find anything relating to it.
> > 
> > I'm using m0n0wall on a Motium NPA-100
> > (http://www.motium.com/products/npa/index.html) which is an mini PC
> > made for the PoS/kiosk/network application market, they call it
> > embedded but it uses entirely x86 PC hardware.
> > 
> > My problem is I cannot get firewalling to work, I've setup two rules
> > on the LAN interface to block all ICMP and TCP from a certain host,
> > but neither seem to be working, I can ping the device from any host
> > on the LAN and connect to the web server from the host that is meant
> > to be firewalled (10.0.2.5).
> > 
> > I have attached my config.xml, screenshots of the firewall page, and
> > exec.php executing "ipfstat -hnio" are available from
> > http://www.omgwtfbbq.com.au/firewall_rules.jpg and
> > http://www.omgwtfbbq.com.au/exec-ipfstat-hnio.jpg
> > (I couldn't attach them because theres a 30k message size limit)
> > 
> > I have played with the order of the rules and rebooted the device
> > several times but it doesn't make any diference.
> > 
> > Thanks in advance for any help given,
> > 
> > Jordan.
> 
> Where does the host live? WAN, DMZ, LAN? If it lives on the LAN you
> will not be able to block traffic from another LAN client. But, I
> don't think this is the case.
> 
> You should create a rule with a source of LAN net and destination of
> 10.0.2.5... The second rule on your m0n0 would be translated as block
> packets from 10.0.2.5 going anywhere. Not block packets from anywhere
> going to 10.0.2.5 as I think may you think.
> 
> Also, the ICMP rule on your WAN is not necessary.
> 
> I am sending this from my hotel room at Disney. I will not have
> internet access again until Friday night.
> 
> _________________________________
> James W. McKeand
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Sorry, let me clear things up.

there are 3 devices on my LAN, a notebook (10.0.2.6), a server
(10.0.2.5) and the m0n0wall box (10.0.2.30)

the WAN port of the m0n0wall box isnt plugged into anything, it is not
active, only the LAN port is being used at the moment while i set things
up which is where 10.0.2.30 is being used.

I want to block packets coming from clients on the LAN (notebook &
server) going to the m0n0wall box.

I.E i want to stop 10.0.2.5 from accessing m0n0wall's web gui
configuration page, which is why i put in the "block TCP from 10.0.2.5
to *". I know this is a very broad rule just to stop https, but I
started off with a rule to block just the specific port and it did not
work, thats why i broadend it to all hosts/ports.

The rule to block ICMP from any to any was put in to stop any host on
the lan (laptop or server) from pinging the m0n0wall box, which also
does not work - any host on the lan can ping m0n0wall and m0n0wall can
ping any host on the lan. The rule simply isnt working in either
direction.

To give you further proof that this isnt some stuff up of mine, I
_removed_ the pass rule that allows the lan to access anything - there
are NO allow rules anywhere in the firewall, this should block anything
and everything however it does nothing - even after a save & reboot.

I'm truly stumped by this problem.

Jordan
signature.asc (0.2 KB, application/pgp-signature)