[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Tim McCullagh <timbo at halenet dot com dot au>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] M0n0wall Firewall
 Date:  Tue, 24 Jun 2003 14:51:08 +0200 (CEST)
Hi Tim,

On Wed, 18 Jun 2003, Tim McCullagh wrote:

> This may be a silly question but how do you enter a reverse firewall rule.
>
> Ie :
>
> If I select say the WAN inteface and insert a rule allow any to any I get
>  pass in quick from any to any keep state group 100
>
> How do I insert the rule
> pass OUT  quick from any to any keep state group 100
>
> using the web interface
>
> Where are the firewall rules written to? path wise

That's simple - you don't need "pass out" rules at all because m0n0wall
uses "keep state" with all user-defined rules. Once the first packet of a
connection has been passed/permitted, all other packets belonging to the
same connection will be passed without consulting the ruleset (in both
directions). The "in" is simply because the rules are from m0n0wall's
point of view (the first packet of a TCP connection from LAN to WAN
appears to be incoming on LAN). "out" is only required for connections
that are set up by m0n0wall itself (i.e. DNS queries), and the ruleset
generator is smart enough to generate those rules based on which services
are enabled.

The filter rules are never written to a file; they're directly passed to
/sbin/ipf.

HTH,

Manuel