[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Vpn tunnel and fw-rules
 Date:  Wed, 4 May 2005 16:21:30 -0400
> 
> > >
> > > I've blocked traffic from 192.168.50.x (monowall 2) to 192.168.40.x
> > > (monowall 1) but monowall 2 happily ignores the rules. And yes,
> > > i am initiating traffic from behind monwall 1.
> > >
> >
> > Is the rule above the default allow all rule?  You have any static
> > routes on the system?  (they would be unnecessary and could mess up
> > filtering)
> >
> The rule is the only one in the lan-section. Yes, i have a bunch of
> static rules that needs to be there because of multiple subnets.
> 

Wait, from the sounds of the above, you put the rules on the wrong
side.  Only outbound traffic destined for the opposite side gets
filtered.  i.e. if you have site A with 192.168.50.0/24 and site B
with 192.168.40.0/24, to block traffic from 50.x to 40.x, you need a
rule on m0n0 A to do that.

The static routes aren't necessary and can mess things up if you're
entering them for subnets that are directly connected to m0n0wall
either through VPN or any local interface.

-Chris