[ previous ] [ next ] [ threads ]
 
 From:  "Daniel Foster" <dan at melbourne dot co dot uk>
 To:  "Chris James" <lists at chrisjames dot me dot uk>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Firewall scenario
 Date:  Thu, 9 Jun 2005 09:31:31 +0100
Chris,

It's worth a shot, but I think the static route would cause a loop, pushing it in the wan interface
it'll look at the same route and just do the same thing again.  I will give it a try though, I like
your thinking :)

Dan 

 | -----Original Message-----
 | From: Chris James [mailto:lists at chrisjames dot me dot uk] 
 | Sent: 08 June 2005 12:56
 | To: Daniel Foster
 | Subject: RE: [m0n0wall] Firewall scenario
 | 
 | 
 | Hey Dan,
 | 
 | Can you test if static routes take precendence over m0n0's 
 | own routing table? if so, could you do the following
 | 
 | rather than
 | 
 | m0n0wall lan1 -> m0n0wall lan2
 |  
 | implement:
 | 
 | m0n0wall lan1 -> static route -> m0n0wall wan -> m0n0wall lan2
 | 
 | then you could just do your filtering on the wan interface
 | 
 | Complete shot in the dark though - probably wont work :)
 | 
 | Chris.
 | 
 | 
 | On Tue, 7 Jun 2005 16:35:20 +0100, "Daniel Foster" 
 | <dan at melbourne dot co dot uk>
 | said:
 | > Anyone!?!?
 | > 
 | > Kind Regards
 | > Dan Foster
 | > 
 | >  | -----Original Message-----
 | >  | From: Daniel Foster [mailto:dan at melbourne dot co dot uk]  | 
 | Sent: 06 June 
 | > 2005 18:01  | To: m0n0wall at lists dot m0n0 dot ch  | Subject: [m0n0wall] 
 | > Firewall scenario  |  | Hi,  |  | first of all, thanks to 
 | those who 
 | > helped re the network  | stuff question, it worked as planned, by 
 | > enabling the  | advanced outbound nat it let me sit public ip  | 
 | > addressed-subnets on various interfaces perfectly.  Also 
 | got  | vlans 
 | > up and running happily with fxp cards, although i  | think 
 | i had the 
 | > parent port closed down issue since i'd not  | allocated a 
 | subnet to 
 | > it....anyway it's working now.
 | >  |
 | >  | so i've got a test box with m0n0wall on in the 
 | datacentre,  | and 
 | > i'm trying to visualise our enviroment.
 | >  |
 | >  | basically we're a co-location provider, so we give 
 | customers  | a 
 | > small subnet, and they tell us what they want allowed in  
 | | traffic 
 | > wise, usually common ports like 80 25 21 etc.  Now  | obviously we 
 | > want those blocked not only from the outside  | world, but 
 | also other 
 | > customers who live in different  | subnets & vlans 
 | serviced from the 
 | > same m0n0wall box.  but i  | dont want to block 
 | communication between 
 | > them totally, i.e.
 | >  | if a customer wants port 80 open to the world, it needs 
 | to  | be 
 | > open to WAN as well as all the other interfaces....
 | >  |
 | >  | Now this is where the issue seems to lie for me, i 
 | can't  | find an 
 | > economical way of saying block traffic going out of  | 
 | interface x.  
 | > you have to set it as where the traffic enters  | the 
 | m0n0wall box, so 
 | > theoretically if we had 30  | subnets/vlans, i'd have to 
 | set 30 rules 
 | > for each port i
 | >  | wanted to open for a customer.   and then if i add further 
 | >  | interfaces i'd have to add the rule again.
 | >  |
 | >  | i suppose what im asking is, is there any way of filtering  | 
 | > traffic based on where it *leaves* m0n0wall instead of where  | it 
 | > arrives from?  Or am I missing something?
 | >  |
 | >  | Any insights would be appreciated!!
 | >  |
 | >  | Kind Regards,
 | >  | Dan Foster
 | >  |
 | >  | --
 | >  | No virus found in this outgoing message.
 | >  | Checked by AVG Anti-Virus.
 | >  | Version: 7.0.323 / Virus Database: 267.6.2 - Release Date: 
 | > 04/06/2005  |  |  | 
 | > 
 | ---------------------------------------------------------------------
 | >  | To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
 | >  | For additional commands, e-mail: 
 | m0n0wall dash help at lists dot m0n0 dot ch  |  |  
 | > | --  | No virus found in this incoming message.
 | >  | Checked by AVG Anti-Virus.
 | >  | Version: 7.0.323 / Virus Database: 267.6.2 - Release Date: 
 | > 04/06/2005  |  |
 | > 
 | > --
 | > No virus found in this outgoing message.
 | > Checked by AVG Anti-Virus.
 | > Version: 7.0.323 / Virus Database: 267.6.4 - Release Date: 
 | 06/06/2005
 | >  
 | > 
 | > 
 | ---------------------------------------------------------------------
 | > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
 | > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
 | > 
 | --
 |   Chris James
 |   http://www.chrisjames.me.uk
 | 
 | 
 | -- 
 | No virus found in this incoming message.
 | Checked by AVG Anti-Virus.
 | Version: 7.0.323 / Virus Database: 267.6.5 - Release Date: 07/06/2005
 |  
 | 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 08/06/2005