On 5/4/05, Robert Högberg <baggio at atari dot org> wrote:
> > >
> > > I've blocked traffic from 192.168.50.x (monowall 2) to 192.168.40.x
> > > (monowall 1) but monowall 2 happily ignores the rules. And yes,
> > > i am initiating traffic from behind monwall 1.
> > >
> > Is the rule above the default allow all rule? You have any static
> > routes on the system? (they would be unnecessary and could mess up
> > filtering)
> The rule is the only one in the lan-section. Yes, i have a bunch of
> static rules that needs to be there because of multiple subnets.
Wait, from the sounds of the above, you put the rules on the wrong
side. Only outbound traffic destined for the opposite side gets
filtered. i.e. if you have site A with 192.168.50.0/24 and site B
with 192.168.40.0/24, to block traffic from 50.x to 40.x, you need a
rule on m0n0 A to do that.
The static routes aren't necessary and can mess things up if you're
entering them for subnets that are directly connected to m0n0wall
either through VPN or any local interface.