[ previous ] [ next ] [ threads ]
 From:  "Mark Shumate" <marks at infowest dot com>
 To:  "'padexx'" <padexx at gmx dot de>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] LAN rule problem (LAN -> WAN)
 Date:  Mon, 31 Oct 2005 12:04:59 -0700
What the two replies have already stated is true. The problem becomes clear
when you realize that packets generated by "PC1" never specify the WAN
address of the m0n0wall (unless of course PC1 is trying to communicate with
the WAN address of the m0n0wall, which there is probably no reason to do).

	This is, I think, a pretty common misconception. A person may think
that the stuff their PC sends to the internet has the gateway's IP address
in it somewhere, since you specify a gateway IP address when you configure
your IP network settings on the PC. What the gateway IP address *really*
tells the PC is which machine it needs to communicate with at the underlying
link layer. On an ethernet network (for example) the gateway IP address
tells your PC what MAC/ethernet address to lookup, to put in the ethernet
frames, so that the gateway will listen to the ethernet frames and extract
the IP packets. Once the gateway receives the frame from the link layer, it
throws away that "link" frame, leaving only the raw IP packet. m0n0wall's
rules only apply to the IP packets, so the ethernet frame that was necessary
to get the IP packet from your PC to m0n0wall is not considered by the
firewall rules. Therefore, your rules should be designed with the source and
destination IP addresses in mind, rather than whatever is between them.

-= Mark Shumate
-= InfoWest
-= Business Service Manager
-= phone: 435-674-0165 x1023 (local)
-= phone: 866-INFOWEST x1023 (long distance)
-= email: marks at infowest dot com

-----Original Message-----
From: padexx [mailto:padexx at gmx dot de] 
Sent: Monday, October 31, 2005 09:18
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] LAN rule problem (LAN -> WAN)

Hello everyone!

straight forward to my problem.
Actually an easy setup:

I have several PCs in my LAN (all static IPs) and I want only a few 
to be able to acces the internet (WAN).
For testing only one PC should be able to do that.
I have created the following rules in my LAN rule-set:

ALLOW	*	LAN address	*	->	LAN address	*
ALLOW	*	PC1 		* 	->	WAN address	*
DENY		*	LAN address	*	->	*		*

but PC1 is NOT able to access the net.

If I change the second rule to:
ALLOW	*	PC1 		* 	->	*	*

everything is fine! PC1 is able to access the net.
Which I do not understand.
Any help?


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch