> When setting up the rules for m0n0 I first did a inbound NAT TCP 80 (HTTP) 184.108.40.206 80 (HTTP)
web server and I selected create rule automatically. Now when I look at the rule I see:
> TCP * * 220.127.116.11 80 (HTTP) NAT web server.
> I've been using Smoothwall Exress for the past few years and when creating a rule you start with
protocol then source port etc. and the rule would look like this:
> TCP ALL 80 (HTTP) 18.104.22.168 80 (HTTP)
> My question is; should the source port not be set to 80 (HTTP) as well and if not doesn't that
rule leave the WAN open to everything?
Hi Peter... No, Smoothwall (IMHO) INCORRECTLY refers to the destination
port on the firewall's WAN interface as the SOURCE port in its rules.
In general terms, each end of a connection (TCP) has an IP address and a
port associated with it - These 4 pieces of information make up a socket.
clientIP:sourceport -----> serverIP:destinationport
When a web browser on a client makes connection to a web server on the
web server's destination port 80, the client's SOURCE port should be a
port number in the unprivelged range between 1024 and 65535.
clientIP:23456 -----> webserverIP:80 is a normal, proper-looking
connection - ie: 1023 < sourceIP < 65536
clientIP:120 -----> webserverIP:80
clientIP:80 -----> webserverIP:80
signify that the client is doing something non-standard and might
trigger some alarms or firewall rules at some sites.
So, monowall's rules definition and use of the term "SOURCE port" is
correct and less confusing than Smoothwall's.
With m0n0wall you can actually define the real source port range as only
unprivelged ports 1024-65535 (very anal retentive security people often
define their firewall rules like this) because there is no good reason
that a client should be allocating priveleged ports to make outbound
connections. Some may argue :)
With Smoothwall, you can not do this.
In any case, both rules (m0n0 and Smoothy) that you listed above mean
the same thing because you can not specify the REAL source port in a
I hope this helps to clarify this a bit.