> Hi guys iam having a few problems because im a n00b :) . In the
> following paragraph i will be referring to DIAGRAMS located at
> http://img433.imageshack.us/img433/4404/problem4pk.jpg. What i would
> like to do is delete the LAN "permit any" , as seen in DIAGRAM A.
> After this i would like to manually create rules to permit each
> access to the net and access to other hosts through the LAN rules
> interface. Im doing this to ad an extra layer of security . I thought
> starting off with HTTP, thinking it would be easy enough. After
> disabling the "permit any" rule on LAN interface , i tried creating a
> lan rule to alow http on LAN and net but to no avail. I tried adding
> default HTTP rules , to everything... but i still couldnt acces the
> net with my browser. I then thought well i will enable the "permit
> rule (DIAGRAM A) and log traffic to see whats happening. I cleared all
> previous firewall logs then opened my browser. The logged traffic is
> highlighted as DIAGRAM D. Ive also added NAT interface and WAN rules
> interface in DIAGRAMS B+C incase im making some monumental mistake/s.
> Could someone please show me how to create the a relatively specific
> (as opposed to "permit any") HTTP rule/s on the LAN rules interface
> to access the net and other hosts on the LAN.
If you can browse the m0n0wall WebGUI - this is because there is a
hidden "anti-lockout" rule that allows http/https to the LAN address of
Instead of disabling the default rule, try editing the default rule to
read something like this:
Interface - LAN
Source - any:any
Destination - any:80
The number after the colon is the port ;-) Remember the source port can
be almost anything (3643 and 3644 in your example) The destination would
be port 80 for http. Other destination ports you will want to open may
be 443 - https, 25 - smtp, 20 & 21 - ftp, 110 - pop3, 119 - nntp, 123 -
sntp, and 143 - imap4
If you wish to restrict certain machines from access the web use
specific IP for the source (again use any for the source port).
Rules on the firewall will not stop traffic between hosts on the same
network. If 10.10.10.11 wants to talk to 10.10.10.12 - the traffic goes
directly between the hosts and never reaches the m0n0wall. The rules
will only affect traffic that passes though the firewall.
James W. McKeand