[ previous ] [ next ] [ threads ]
 
 From:  stfuhello <stfuhelloworld at yahoo dot com dot au>
 To:  "James W. McKeand" <james at mckeand dot biz>, mono <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] monowall HTTP ports on LAN side ?!?!*%# Im a n00b
 Date:  Sun, 30 Oct 2005 23:52:52 +1000
Thanks  for your reply guys. I now understand  a more secure way of 
creating rules. I tried what was mentioned below ie

Interface - LAN
Source - any:any
Destination - any:80

and it worked :)

Then i tried 

Interface - LAN
Source - 10.10.10.11:any
Destination - any:80

and it worked :)

After this i wanted to learn of the port which the host 10.10.10.11 locally routes HTTP traffic
through in order to enter it in as opossed to just leaving the port as any ie

Interface - LAN
Source - 10.10.10.11:I Want to enter it in Here
Destination - any:80


I logged the the HTTP rule and opened up a couple of Firefox windows to get the ports used on
10.10.10.11. To my suprise Firefox used ports 1675 - 1680? and still changing to other ranges . Is
there anyway to make Firefox (and other applications)use a number of static ports so they can be
entered in to rules ie see where i have typed "I Want to enter it in Here"







 















  I was wondering  if there is way to create rules on the LAN Rules 
Interface that contain a source port number for each application . I
James W. McKeand wrote:

>stfuhello wrote:
>  
>
>>Hi guys iam having a few problems because im a n00b :) . In the
>>following paragraph i will be referring to DIAGRAMS  located at
>>http://img433.imageshack.us/img433/4404/problem4pk.jpg. What i would
>>like to do is delete the LAN "permit any"  , as seen in DIAGRAM A.
>>After this i would like to manually create rules to permit each 
>>program 
>>access to the net and access to other hosts through the LAN rules
>>interface. Im doing this to ad an extra layer of security . I thought
>>starting off with  HTTP, thinking it would be easy enough. After
>>disabling the "permit any" rule on LAN  interface , i tried creating a
>>lan rule to alow http on LAN  and net but to no avail. I tried adding
>>default HTTP rules , to everything... but i still couldnt acces the
>>net with my browser. I then thought well i will  enable the "permit
>>any" 
>>rule (DIAGRAM A) and log traffic to see whats happening. I cleared all
>>previous firewall logs then opened my browser. The logged traffic is
>>highlighted as DIAGRAM D. Ive also added NAT interface and WAN rules
>>interface in DIAGRAMS B+C  incase im making some monumental mistake/s.
>>Could someone please show me how to create the a relatively specific
>>(as opposed to "permit any")  HTTP rule/s on the LAN rules interface
>>to access the net and other hosts on the LAN.
>>    
>>
>
>If you can browse the m0n0wall WebGUI - this is because there is a
>hidden "anti-lockout" rule that allows http/https to the LAN address of
>the m0n0wall.
>
>Instead of disabling the default rule, try editing the default rule to
>read something like this:
>
>Interface - LAN
>Source - any:any
>Destination - any:80
>
>The number after the colon is the port ;-) Remember the source port can
>be almost anything (3643 and 3644 in your example) The destination would
>be port 80 for http. Other destination ports you will want to open may
>be 443 - https, 25 - smtp, 20 & 21 - ftp, 110 - pop3, 119 - nntp, 123 -
>sntp, and 143 - imap4
>
>If you wish to restrict certain machines from access the web use
>specific IP for the source (again use any for the source port).
>
>Rules on the firewall will not stop traffic between hosts on the same
>network. If 10.10.10.11 wants to talk to 10.10.10.12 - the traffic goes
>directly between the hosts and never reaches the m0n0wall. The rules
>will only affect traffic that passes though the firewall.
>
>_________________________________
>James W. McKeand
>
>
>
>  
>

Send instant messages to your online friends http://au.messenger.yahoo.com