[ previous ] [ next ] [ threads ]
 From:  Falcor <falcor at netassassin dot com>
 To:  ian351c at cox dot net
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Rule Direction for ipf
 Date:  Wed, 31 Dec 2003 05:53:08 -0800
You are correct in that the current rule for NTP is for the WAN 
interface only.  I believe we call them negative rules (Well Checkpoint 
does at any rate), as they are listed and take place before the first 
user created rule.  Thus being -1 -2 -3 etc.  E.g. yes they are hidden. 
 Unlike Checkpoint I do not believe you can click something to make them 
show up in the GUI.

There has been some discussion to allow NTP to work on the LAN for those 
of us crazy enough to own/run a GPS-based or other private time source 
servers.  For the majority of people I would say that is not a 
requirement though, so this has a low-ish priority really.

 From the GUI, not that I know of.  (not counting using exec.php)

I think there is, they should be present in the config files for the ipf 
etc.  You might be able to mount the image, modify these rules, save it, 
then move it over to the firewall again.   I frankly haven't tried it, 
so I really am just assuming.  You could always be creative and use 
exec.php to echo data into the config files... again, something I have 
thought of but never tried... if you mess this up you will need to 
reimage the firewall.

;)  I think I am quite sucsessful in not answering the questions with 
solid answers, but at least you now know NTP is locked to the WAN 
interface.  hehe.  Well after the New Year I should have time to get 
back to playing with the guts of m0n0wall again.  

Ian Cartwright wrote:

>Hello everyone,
>I am currently evaluating m0n0wall as a possible replacement for my
>current firewall, and I have a question regarding the ipf rules
>generated by the GUI for m0n0wall. My current testing involves two
>m0n0wall boxes running on VMWare. For one of the m0n0wall boxes, the DNS
>and NTP services are on the "LAN interface" network. While DNS queries
>seem OK, all NTP queries are being blocked by ipf even though the source
>and destination IP addresses are the same.
>It's been about three years since I last used ipf (I switched to ipfw,
>then to pf on FreeBSD when I gave up on trying to get ipfilter and KAME
>play nice together on my FreeBSD firewall), but I recall that all the
>rules in a ipf rule set are directional (i.e. rules can be INBOUND or
>OUTBOUND on an interface). It would seem that there is a hidden rule
>that allows outbound DNS queries on the LAN interface but not NTP
>First: is my theory of "hidden rules" correct?
>Second: if so, is there some way to view or edit these rules in the GUI
>(if not, a "view hidden rules" check box, a la Checkpoint would be
>really neat).
>Third: is there a way to "manually" edit any default/hidden rules? They
>do not appear in the config.xml file.
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch