[ previous ] [ next ] [ threads ]
 
 From:  "Garrett" <glc at c dash email dot com>
 To:  "Lee Sharp" <leesharp at hal dash pc dot org>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Firewall Rules
 Date:  Fri, 28 Oct 2005 09:20:36 -0700
> There is a reason we use the LAN and OPTx names.  There are some things
that
> can only be done from a LAN interface, and some things that can only be
done
> from an OPTx interface.

Are these restrictions/abilities documented any where?

> I will assume LAN0 is the LAN interface, and the
> LAN1 is OPT1.  And LAN2 is WAN.

That's correct.

----- Original Message -----
From: "Lee Sharp" <leesharp at hal dash pc dot org>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Friday, October 28, 2005 9:06 AM
Subject: Re: [m0n0wall] Firewall Rules


> From: "Garrett" <glc at c dash email dot com>
>
> > Ok, now that I've finally got my first WRAP up and running (thanks to
> > everyone on the mailing list who helped), next up is the firewall rules.
>
> > WRAP:
> > LAN0: LAN (172.31.101.0/29), 3 hosts
> > LAN1: wireless LAN (172.31.101.8/29), 2 hosts (1 AP + 1 PocketPC)
> > LAN2: WAN (PPPoE DSL)
>
> There is a reason we use the LAN and OPTx names.  There are some things
that
> can only be done from a LAN interface, and some things that can only be
done
> from an OPTx interface. I will assume LAN0 is the LAN interface, and the
> LAN1 is OPT1.  And LAN2 is WAN.
>
> > Requirements:
> > wireless subnet: only want to permit access from the PocketPC on this
> > subnet
> > to a particular host on the LAN subnet.  I want to deny Internet access
to
> > this subnet all together and deny access to/from the other hosts on the
> > LAN
> > subnet.
>
> It should be on OPT.  Set up DHCP to give addresses.  Put a DHCP static
> mapping for your device's MAC address outside of the DHCP scope.  Set up a
> rule on OPT allow that single IP to the IP on the LAN subnet.  All else
will
> be denied, but friendly hackers will get IP addresses and be confused. :-)
>
> > LAN subnet: permit Internet access and communication between all hosts
on
> > this subnet (which of course is already done with the Default LAN -> any
> > rule) and deny access to the wireless subnet (except for the particular
> > host
> > on this subnet)
>
> Deny is already done.  Set up the mirror of the rule above on the LAN
subnet
> from the IP of the pocket PC to the single IP of it's destination.  Done.
>
>                         Lee
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>