[ previous ] [ next ] [ threads ]
 
 From:  Ian Cartwright <ian351c at cox dot net>
 To:  Falcor <falcor at netassassin dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Rule Direction for ipf
 Date:  Wed, 31 Dec 2003 10:14:00 -0700
On Wed, 2003-12-31 at 06:53, Falcor wrote:
> You are correct in that the current rule for NTP is for the WAN 
> interface only.  I believe we call them negative rules (Well Checkpoint 
> does at any rate), as they are listed and take place before the first 
> user created rule.  Thus being -1 -2 -3 etc.  E.g. yes they are hidden. 
>  Unlike Checkpoint I do not believe you can click something to make them 
> show up in the GUI.
> 
> There has been some discussion to allow NTP to work on the LAN for those 
> of us crazy enough to own/run a GPS-based or other private time source 
> servers.  For the majority of people I would say that is not a 
> requirement though, so this has a low-ish priority really.
> 
>  From the GUI, not that I know of.  (not counting using exec.php)
> 
> I think there is, they should be present in the config files for the ipf 
> etc.  You might be able to mount the image, modify these rules, save it, 
> then move it over to the firewall again.   I frankly haven't tried it, 
> so I really am just assuming.  You could always be creative and use 
> exec.php to echo data into the config files... again, something I have 
> thought of but never tried... if you mess this up you will need to 
> reimage the firewall.
> 
> ;)  I think I am quite sucsessful in not answering the questions with 
> solid answers, but at least you now know NTP is locked to the WAN 
> interface.  hehe.  Well after the New Year I should have time to get 
> back to playing with the guts of m0n0wall again.  
> 
> Ian Cartwright wrote:
> 
> >Hello everyone,
> >
> >I am currently evaluating m0n0wall as a possible replacement for my
> >current firewall, and I have a question regarding the ipf rules
> >generated by the GUI for m0n0wall. My current testing involves two
> >m0n0wall boxes running on VMWare. For one of the m0n0wall boxes, the DNS
> >and NTP services are on the "LAN interface" network. While DNS queries
> >seem OK, all NTP queries are being blocked by ipf even though the source
> >and destination IP addresses are the same.
> >
> >It's been about three years since I last used ipf (I switched to ipfw,
> >then to pf on FreeBSD when I gave up on trying to get ipfilter and KAME
> >play nice together on my FreeBSD firewall), but I recall that all the
> >rules in a ipf rule set are directional (i.e. rules can be INBOUND or
> >OUTBOUND on an interface). It would seem that there is a hidden rule
> >that allows outbound DNS queries on the LAN interface but not NTP
> >queries.
> >
> >First: is my theory of "hidden rules" correct?
> >Second: if so, is there some way to view or edit these rules in the GUI
> >(if not, a "view hidden rules" check box, a la Checkpoint would be
> >really neat).
> >Third: is there a way to "manually" edit any default/hidden rules? They
> >do not appear in the config.xml file.
> >
> >Thanks!
> >
> >Ian
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >  
> >
> 
> 

Falcor,

Thanks for the information. I was able to find the configuration file
for the default rules (/etc/inc/filter.inc). It looks pretty
straightforward to move many of these rules from filter.inc to
config.xml to make them visible and editable. Doing that may require
adding directional functionality (i.e. "in on lan" or "out on lan") to
the GUI though... In the meantime, I am happy to learn that the rules
are accessible by other means. ;-)

Thanks again,

Ian