[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  "stfuhello" <stfuhelloworld at yahoo dot com dot au>, "mono" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] monowall HTTP ports on LAN side ?!?!*%# Im a n00b
 Date:  Wed, 12 Oct 2005 07:31:41 -0500 
stfuhello wrote:
> Hi guys iam having a few problems because im a n00b :) . In the
> following paragraph i will be referring to DIAGRAMS  located at
> http://img433.imageshack.us/img433/4404/problem4pk.jpg. What i would
> like to do is delete the LAN "permit any"  , as seen in DIAGRAM A.
> After this i would like to manually create rules to permit each 
> program 
> access to the net and access to other hosts through the LAN rules
> interface. Im doing this to ad an extra layer of security . I thought
> starting off with  HTTP, thinking it would be easy enough. After
> disabling the "permit any" rule on LAN  interface , i tried creating a
> lan rule to alow http on LAN  and net but to no avail. I tried adding
> default HTTP rules , to everything... but i still couldnt acces the
> net with my browser. I then thought well i will  enable the "permit
> any" 
> rule (DIAGRAM A) and log traffic to see whats happening. I cleared all
> previous firewall logs then opened my browser. The logged traffic is
> highlighted as DIAGRAM D. Ive also added NAT interface and WAN rules
> interface in DIAGRAMS B+C  incase im making some monumental mistake/s.
> Could someone please show me how to create the a relatively specific
> (as opposed to "permit any")  HTTP rule/s on the LAN rules interface
> to access the net and other hosts on the LAN.

If you can browse the m0n0wall WebGUI - this is because there is a
hidden "anti-lockout" rule that allows http/https to the LAN address of
the m0n0wall.

Instead of disabling the default rule, try editing the default rule to
read something like this:

Interface - LAN
Source - any:any
Destination - any:80

The number after the colon is the port ;-) Remember the source port can
be almost anything (3643 and 3644 in your example) The destination would
be port 80 for http. Other destination ports you will want to open may
be 443 - https, 25 - smtp, 20 & 21 - ftp, 110 - pop3, 119 - nntp, 123 -
sntp, and 143 - imap4

If you wish to restrict certain machines from access the web use
specific IP for the source (again use any for the source port).

Rules on the firewall will not stop traffic between hosts on the same
network. If 10.10.10.11 wants to talk to 10.10.10.12 - the traffic goes
directly between the hosts and never reaches the m0n0wall. The rules
will only affect traffic that passes though the firewall.

_________________________________
James W. McKeand