[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Cvetomir Conev <cvetomirconev at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] WebGUI, DNS blocking on selected interfaces
 Date:  Sat, 25 Jun 2005 16:16:05 -0400
On 6/25/05, Cvetomir Conev <cvetomirconev at gmail dot com> wrote:
> 
> The address of the OPT interface is 10.1.180.95/25.
> 
> I don't know what could possibly be the reason to open such a large
> hole in the firewall based on the existence of the static route alone.
> It might be useful in some specific scenario, for example multiple
> internal networks. I'm glad you removed it in the later versions.
> 

Ok, I believe I remember what Manuel said about that now.  When you
add a static route, it adds those rules to allow traffic in and out of
the *same interface only*.  It's not allowing those networks to
anything other than each other, and only on the OPT interface. 
They're added on the back end because Manuel didn't want to keep state
on traffic passed into and out of the same interface, for performance
reasons.

Because your static route technically wasn't specific enough (the /8
includes local networks that shouldn't have a static route), it falls
into the category of things that get screwed up by that methodology. 
:)

-Chris