On Thu, 10 Feb 2005 01:30:04 -0500, Jesse Guardiani <jesse at wingnet dot net> wrote:
> Finally, do you think there would be any value for expert m0n0wall
> users in a webGUI knob to turn off anti-spoofing rules entirely? Now
> that I know they exist, I realize that I've run into problems with
> these anti-spoofing rules not just in bridge setups, but also in pure
> routing setups. A "disable anti-spoofing rules" knob seems like a great
> debugging tool to me. Running into strange invisible rules blocking
> your traffic? Turn off anti-spoof rules!
I very recently documented troubleshooting firewall rules, including
how to use status.php to do so.
Rather than just disabling the rules to see if that just happens to be
the problem, I'd much rather see people figure out what the problem is
and proceed appropriately from there.
Given a proper setup, the antispoofing rules should never drop any
legit traffic. For example, the LAN or OPT interfaces get rules that
drop anything not on the LAN/OPT subnet directly. If you add a
static route to that interface, it also permits the network added in
the static route. This makes sense because m0n0wall wouldn't know how
to return any traffic to those destinations on that interface, so
there's no point in passing it.
I haven't seen any appropriate network setups other than this bridging
setup that have had problems with the antispoofing rules. If you know
of one, let us know.