[ previous ] [ next ] [ threads ]
 
 From:  =?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  1.2b7 HEADS UP- IPFilter rules won't stop ICMP on LAN interface
 Date:  Wed, 25 May 2005 10:54:02 +1000
Hi,

I've noticed that even with no rules to allow incoming ICMP to the LAN
interface, m0n0wall can still be pinged from the LAN side.  Worse,
specifically creating a rule to deny everything not explicitly allowed
has the same result! (Yes, I remember to hit Apply after saving the
rules.)

All other rules are TCP or UDP and are allowed.
ie:
pass tcp....
pass tcp....
pass udp....
pass udp...
block & log everything from any to any -> can STILL ping the interface
from the LAN. no fw log msg.

I have only the one block rule (I have logging enabled so I can see
what is blocked and what is not).

I've tried:
block log (all protocols) from any to any

block log (all icmp) from any to any

block log (all icmp incoming echo request) from any to any

Ping works in all the above cases...

Just wondering:
- is this a default rule somewhere, and if so, what are the other
default rules? (Hope this is not the case)
- is it beta-related? (Hope so...)

This is very simple setup:
ADSL modem -> m0n0wall -> PC
m0n0 adsl    203.x.y.z
m0n0 lan     10.a.b.c

Default allow LAN rule changed to block and log, allow rules for TCP
connections added above it, no WAN rules at all (everything blocked,
incl ICMP???? which is working according to logs...), DHCP internal
enabled, DNS forwarding enabled, SNMP enabled.  Everything else off.

Rgds
gm