|
||||||||||
On Thu, 10 Feb 2005 01:30:04 -0500, Jesse Guardiani <jesse at wingnet dot net> wrote: > > Finally, do you think there would be any value for expert m0n0wall > users in a webGUI knob to turn off anti-spoofing rules entirely? Now > that I know they exist, I realize that I've run into problems with > these anti-spoofing rules not just in bridge setups, but also in pure > routing setups. A "disable anti-spoofing rules" knob seems like a great > debugging tool to me. Running into strange invisible rules blocking > your traffic? Turn off anti-spoof rules! > I very recently documented troubleshooting firewall rules, including how to use status.php to do so. http://m0n0.ch/wall/docbook/troubleshooting-firewall-rules.html Rather than just disabling the rules to see if that just happens to be the problem, I'd much rather see people figure out what the problem is and proceed appropriately from there. Given a proper setup, the antispoofing rules should never drop any legit traffic. For example, the LAN or OPT interfaces get rules that drop anything not on the LAN/OPT subnet directly. If you add a static route to that interface, it also permits the network added in the static route. This makes sense because m0n0wall wouldn't know how to return any traffic to those destinations on that interface, so there's no point in passing it. I haven't seen any appropriate network setups other than this bridging setup that have had problems with the antispoofing rules. If you know of one, let us know. -Chris |