Heh, forgot to CC the list.
Manuel Kasper wrote:
> On 24.11.2003, at 22:36, Dave O wrote:
>> It works ok and I've got rules set up to block out the nasty stuff.
> Instead of setting up rules to block the nasty stuff, you should rather
> make sure all your pass rules only pass stuff you want. Then the rest is
> blocked by default. Good firewall practices. ;)
Actually, everything from outside is blocked by default. I just set up
some 1:1 NATing for web and mail server. I'm in the process of figuring
out what outgoing stuff to block.
>> Making the following assumptions:
>> WAN is 192.168.0.55
>> LAN is 172.16.33.1
>> OPT1 is 172.16.34.1
> Assuming the subnet masks on LAN and OPT1 are /24, that's very well
>> Nothing from OPT1 should go out to the WAN.
> As long as you don't set up any rule for the OPT1 interface, nothing
> will go out from OPT1 to anywhere.
Good to know. I was setting up rules to block OPT1 from WAN. I guess I
can get rid of those now.
>> Ports 137-139 are allowed between OPT1 and LAN.
> Easy! Just add a rule that permits traffic on interface OPT1, source
> OPT1 subnet, destination LAN subnet, on the ports you want to allow. If
> you still have the default rule on LAN (allow from LAN to any) in
> effect, then LAN hosts will be able to establish connections with OPT1
> hosts on any port (but not vice versa).
> Don't forget that the rules only deal with the first packet of each
> connection. Once that is allowed by your ruleset, all packets belonging
> to the same connection (even in the other direction) are passed - no
> matter what your ruleset says!
This has cleared up quite a bit actually.
>> LAN is NATed. I'm getting a bit confused in trying to set this up.
>> Since LAN is NATed - and after reading the ipfilter FAQ - should rules
>> on OPT1 be set up to allow from network 192.168.0.55 or 172.16.33.1.
>> IPFilter supposedly does NAT translation once a packet passes through
>> the interface. THEN it does the rule handling.
> Not quite. m0n0wall handles NAT on the WAN interface, but your LAN <->
> OPT1 communication never passes through the WAN interface, so you don't
> have to worry about NAT at all there.
> Guess I should write an explanation on how filter rules are handled in
Well, I guess it might've been information overload on my part. I read
too much into Darren's diagram on the ipfilter faq.
It has helped quite a bit. All the contributors and you have done a
great job with m0n0wall, so much so that the only complaint I have is
having to reach up with my pinkie to type the '0' in the name. :)