[ previous ] [ next ] [ threads ]
 
 From:  Dave O <dso at mssystems dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NATed firewall + OPT1 subnet problems...
 Date:  Mon, 24 Nov 2003 16:46:44 -0600
Heh, forgot to CC the list.

do

Manuel Kasper wrote:

> On 24.11.2003, at 22:36, Dave O wrote:
> 
>> It works ok and I've got rules set up to block out the nasty stuff.
> 
> 
> Instead of setting up rules to block the nasty stuff, you should rather 
> make sure all your pass rules only pass stuff you want. Then the rest is 
> blocked by default. Good firewall practices. ;)

Actually, everything from outside is blocked by default.  I just set up
some 1:1 NATing for web and mail server.  I'm in the process of figuring
out what outgoing stuff to block.

>> Making the following assumptions:
>>
>> WAN is  192.168.0.55
>> LAN is  172.16.33.1
>> OPT1 is 172.16.34.1
> 
> 
> Assuming the subnet masks on LAN and OPT1 are /24, that's very well 
> possible.
> 
>> Nothing from OPT1 should go out to the WAN.
> 
> 
> As long as you don't set up any rule for the OPT1 interface, nothing 
> will go out from OPT1 to anywhere.

Good to know.  I was setting up rules to block OPT1 from WAN.  I guess I
can get rid of those now.

>> Ports 137-139 are allowed between OPT1 and LAN.
> 
> 
> Easy! Just add a rule that permits traffic on interface OPT1, source 
> OPT1 subnet, destination LAN subnet, on the ports you want to allow. If 
> you still have the default rule on LAN (allow from LAN to any) in 
> effect, then LAN hosts will be able to establish connections with OPT1 
> hosts on any port (but not vice versa).
> 
> Don't forget that the rules only deal with the first packet of each 
> connection. Once that is allowed by your ruleset, all packets belonging 
> to the same connection (even in the other direction) are passed - no 
> matter what your ruleset says!

This has cleared up quite a bit actually.

>> LAN is NATed.  I'm getting a bit confused in trying to set this up.  
>> Since LAN is NATed - and after reading the ipfilter FAQ - should rules 
>> on OPT1 be set up to allow from network 192.168.0.55 or 172.16.33.1.  
>> IPFilter supposedly does NAT translation once a packet passes through 
>> the interface.  THEN it does the rule handling.
> 
> 
> Not quite. m0n0wall handles NAT on the WAN interface, but your LAN <-> 
> OPT1 communication never passes through the WAN interface, so you don't 
> have to worry about NAT at all there.
> 
> Guess I should write an explanation on how filter rules are handled in 
> m0n0wall...

Well, I guess it might've been information overload on my part.  I read
too much into Darren's diagram on the ipfilter faq.

> HTH,

It has helped quite a bit.  All the contributors and you have done a
great job with m0n0wall, so much so that the only complaint I have is
having to reach up with my pinkie to type the '0' in the name.  :)