[ previous ] [ next ] [ threads ]
 
 From:  "Garrett" <glc at c dash email dot com>
 To:  "Lee Sharp" <leesharp at hal dash pc dot org>, <m0n0wall at lists dot m0n0 dot ch>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Fw: [m0n0wall] Firewall Rules
 Date:  Fri, 28 Oct 2005 11:27:18 -0700
 > Set up DHCP to give addresses.  Put a DHCP static
 > mapping for your device's MAC address outside of the DHCP scope.  Set up
a
 > rule on OPT allow that single IP to the IP on the LAN subnet.

Created a static mapping for the PocketPC.

(OPT tab)
Proto: *
Source: ip_of_pocketpc
Port: *
Dest: ip_of_pc_on_lan_subnet
Port: *

The above rule allows the PocketPC and PC to communicate, however,
ActiveSync fails if the Dest field is NOT set to any (*):

(OPT tab)
Proto: *
Source: ip_of_pocketpc
Port: *
Dest: *  (can't sync PocketPC with PC unless this is set to any)
Port: *

Any ideas why this is?

----- Original Message -----
From: "Garrett" <glc at c dash email dot com>
To: "Lee Sharp" <leesharp at hal dash pc dot org>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Friday, October 28, 2005 9:20 AM
Subject: Re: [m0n0wall] Firewall Rules


> > There is a reason we use the LAN and OPTx names.  There are some things
> that
> > can only be done from a LAN interface, and some things that can only be
> done
> > from an OPTx interface.
>
> Are these restrictions/abilities documented any where?
>
> > I will assume LAN0 is the LAN interface, and the
> > LAN1 is OPT1.  And LAN2 is WAN.
>
> That's correct.
>
> ----- Original Message -----
> From: "Lee Sharp" <leesharp at hal dash pc dot org>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Friday, October 28, 2005 9:06 AM
> Subject: Re: [m0n0wall] Firewall Rules
>
>
> > From: "Garrett" <glc at c dash email dot com>
> >
> > > Ok, now that I've finally got my first WRAP up and running (thanks to
> > > everyone on the mailing list who helped), next up is the firewall
rules.
> >
> > > WRAP:
> > > LAN0: LAN (172.31.101.0/29), 3 hosts
> > > LAN1: wireless LAN (172.31.101.8/29), 2 hosts (1 AP + 1 PocketPC)
> > > LAN2: WAN (PPPoE DSL)
> >
> > There is a reason we use the LAN and OPTx names.  There are some things
> that
> > can only be done from a LAN interface, and some things that can only be
> done
> > from an OPTx interface. I will assume LAN0 is the LAN interface, and the
> > LAN1 is OPT1.  And LAN2 is WAN.
> >
> > > Requirements:
> > > wireless subnet: only want to permit access from the PocketPC on this
> > > subnet
> > > to a particular host on the LAN subnet.  I want to deny Internet
access
> to
> > > this subnet all together and deny access to/from the other hosts on
the
> > > LAN
> > > subnet.
> >
> > It should be on OPT.  Set up DHCP to give addresses.  Put a DHCP static
> > mapping for your device's MAC address outside of the DHCP scope.  Set up
a
> > rule on OPT allow that single IP to the IP on the LAN subnet.  All else
> will
> > be denied, but friendly hackers will get IP addresses and be confused.
:-)
> >
> > > LAN subnet: permit Internet access and communication between all hosts
> on
> > > this subnet (which of course is already done with the Default LAN ->
any
> > > rule) and deny access to the wireless subnet (except for the
particular
> > > host
> > > on this subnet)
> >
> > Deny is already done.  Set up the mirror of the rule above on the LAN
> subnet
> > from the IP of the pocket PC to the single IP of it's destination.
Done.
> >
> >                         Lee
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
>