[ previous ] [ next ] [ threads ]
 
 From:  Falcor <falcor at netassassin dot com>
 To:  Alan Horn <ahorn at deorth dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] keep state question.
 Date:  Fri, 02 Jan 2004 03:47:11 -0600
Well this is all IPF, or so it seems from the syntax in 
/etc/inc/filter.inc  (although I think the website states ipfw.. dunno) 
 So rest assured keep state is set.  (I checked the default rules and 
what not and it appears all rules are currently appended with "quick" 
and" keep state" settings when you build a rule from the GUI.  As this 
is not normal user knowledge I can understand automating it.  E.g. every 
rule you make appears to get pass/block in/out quick [your rule] keep state.

Now come the questions for your questions.....

Yes you can specify all UDP, TCP, ICMP, etc. for in and out rules.  Easy 
to do.. the gui lets you specify the ports for UDP and TCP, but if you 
want to specify services (type) for ICMP you will need to go add a rule 
by hand as the gui doesn't appear to have that option.  For standard 
firewall uses it is really unnecessary to do this, but if you are uber 
paranoid go ahead and manually edit your files.  I still would never 
personally want ICMP from the WAN to my LAN... but that is just me.

UDP out.. well do you want all UDP out, or something in particular? 
 Like TCP you need to specify a port, or go with the "yea all of it" 
standpoint.  The default rule for all LAN traffic is from any IP on any 
Protocol to Any Destination already allows this.  (as well as all ICMP 
outbound, as the protocol is flagged "All")  If you block it and say 
want to let an internal DNS server go query an external host you would 
write a rule like the one in my first email, just specify UDP and port 
53 allowed in to your DNS server... ex..
(on the LAN Interface) Proto: UDP | Source 192.168.1.x | Port * | 
Destination 124.168.1.x | Port 53 | Allow

conversely if you have an internal DNS server that you wish to have 
available for the Internet to query you would do this:
(onthe WAN Interface) Proto: UDP | Source * | Port * | Destination 
192.168.1.x | Port 53 | Allow

an outbound ICMP would be the same except you don't get to enter 
services from the GUI.  You end up with:
(on what ever interface you want) Proto: ICMP | Source * | Port * | 
Destination * | Port: * | Allow   (of course you can specify source and 
destination IP addresses if you want)

I am assuming by "out" you mean from the LAN to the WAN.  Where ever 
"in" is, the rule is the same just change the source network.  E.g. LAN, 
WAN, PPTP, OPT1, etc.

IPF and OpenBSD's PF allow you to muck with ICMP services, but I do not 
believe 99.99% of us want to dork with it at all.  



Alan Horn wrote:

>Ok..
>for example then, how would I duplicate the following ipfilter rules in
>m0n0wall ?
>
>pass in quick on rtk0 proto icmp from any to any keep state
>pass out on rtk0 proto udp from any to any keep state
>pass out on rtk0 proto icmp from any to any keep state
>
>rtk0 in this context is my 'wan' interface.
>
>
>On Fri, 2 Jan 2004, Falcor wrote:
>
>  
>
>>Date: Fri, 02 Jan 2004 01:41:10 -0600
>>From: Falcor <falcor at netassassin dot com>
>>To: Alan Horn <ahorn at deorth dot org>
>>Cc: m0n0wall at lists dot m0n0 dot ch
>>Subject: Re: [m0n0wall] keep state question.
>>
>>In/Out are determined by the source and destination that you place in
>>the rule.  E.g.:
>>Prot: *| Source LAN net | Destination * | Port 21  and a action "Block"
>>would block outbound FTP traffic (port 21 traffic of any sort actually)
>>    
>>
>>from the LAN network that you specified in the Interface setup to all
>  
>
>>networks the firewall/router are connected to.
>>
>>by default install, all LAN traffic to any host on any port is allowed,
>>and all inbound is denied/blocked.
>>
>>You would need to create allow rules for the PPTP network, OPT1 network,
>>WiFi network(s) as well as any inbound rules you want or outbound
>>blocking rules.  If you want to limit what your LAN users can access on
>>the internet it is better to start with no rules (an implicit deny all
>>basically) and simply add rules allowing them to do each specific thing.
>>I do that at work, but at home.. hey I allow myself to go everywhere...
>>
>>Alan Horn wrote:
>>
>>    
>>
>>>How does one put in the ipfilter keywords 'keep state' with m0n0wall ?
>>>
>>>Also, all rules seem to be of the type 'pass in', is there an implicit
>>>'pass out any' type rule on all interfaces ?
>>>
>>>Cheers,
>>>
>>>Al
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>
>>>      
>>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>