You are correct in that the current rule for NTP is for the WAN
interface only. I believe we call them negative rules (Well Checkpoint
does at any rate), as they are listed and take place before the first
user created rule. Thus being -1 -2 -3 etc. E.g. yes they are hidden.
Unlike Checkpoint I do not believe you can click something to make them
show up in the GUI.
There has been some discussion to allow NTP to work on the LAN for those
of us crazy enough to own/run a GPS-based or other private time source
servers. For the majority of people I would say that is not a
requirement though, so this has a low-ish priority really.
From the GUI, not that I know of. (not counting using exec.php)
I think there is, they should be present in the config files for the ipf
etc. You might be able to mount the image, modify these rules, save it,
then move it over to the firewall again. I frankly haven't tried it,
so I really am just assuming. You could always be creative and use
exec.php to echo data into the config files... again, something I have
thought of but never tried... if you mess this up you will need to
reimage the firewall.
;) I think I am quite sucsessful in not answering the questions with
solid answers, but at least you now know NTP is locked to the WAN
interface. hehe. Well after the New Year I should have time to get
back to playing with the guts of m0n0wall again.
Ian Cartwright wrote:
>I am currently evaluating m0n0wall as a possible replacement for my
>current firewall, and I have a question regarding the ipf rules
>generated by the GUI for m0n0wall. My current testing involves two
>m0n0wall boxes running on VMWare. For one of the m0n0wall boxes, the DNS
>and NTP services are on the "LAN interface" network. While DNS queries
>seem OK, all NTP queries are being blocked by ipf even though the source
>and destination IP addresses are the same.
>It's been about three years since I last used ipf (I switched to ipfw,
>then to pf on FreeBSD when I gave up on trying to get ipfilter and KAME
>play nice together on my FreeBSD firewall), but I recall that all the
>rules in a ipf rule set are directional (i.e. rules can be INBOUND or
>OUTBOUND on an interface). It would seem that there is a hidden rule
>that allows outbound DNS queries on the LAN interface but not NTP
>First: is my theory of "hidden rules" correct?
>Second: if so, is there some way to view or edit these rules in the GUI
>(if not, a "view hidden rules" check box, a la Checkpoint would be
>Third: is there a way to "manually" edit any default/hidden rules? They
>do not appear in the config.xml file.
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch