[ previous ] [ next ] [ threads ]
 
 From:  "Lee Sharp" <leesharp at hal dash pc dot org>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Firewall Rules
 Date:  Fri, 28 Oct 2005 11:06:10 -0500
From: "Garrett" <glc at c dash email dot com>

> Ok, now that I've finally got my first WRAP up and running (thanks to
> everyone on the mailing list who helped), next up is the firewall rules.

> WRAP:
> LAN0: LAN (172.31.101.0/29), 3 hosts
> LAN1: wireless LAN (172.31.101.8/29), 2 hosts (1 AP + 1 PocketPC)
> LAN2: WAN (PPPoE DSL)

There is a reason we use the LAN and OPTx names.  There are some things that 
can only be done from a LAN interface, and some things that can only be done 
from an OPTx interface. I will assume LAN0 is the LAN interface, and the 
LAN1 is OPT1.  And LAN2 is WAN.

> Requirements:
> wireless subnet: only want to permit access from the PocketPC on this 
> subnet
> to a particular host on the LAN subnet.  I want to deny Internet access to
> this subnet all together and deny access to/from the other hosts on the 
> LAN
> subnet.

It should be on OPT.  Set up DHCP to give addresses.  Put a DHCP static 
mapping for your device's MAC address outside of the DHCP scope.  Set up a 
rule on OPT allow that single IP to the IP on the LAN subnet.  All else will 
be denied, but friendly hackers will get IP addresses and be confused. :-)

> LAN subnet: permit Internet access and communication between all hosts on
> this subnet (which of course is already done with the Default LAN -> any
> rule) and deny access to the wireless subnet (except for the particular 
> host
> on this subnet)

Deny is already done.  Set up the mirror of the rule above on the LAN subnet 
from the IP of the pocket PC to the single IP of it's destination.  Done.

                        Lee