[ previous ] [ next ] [ threads ]
 
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Would like to filter outbound traffic for corporate security purposes but my rules don't seem to work
 Date:  Sat, 12 Nov 2005 05:35:52 -0600
Jason Collins wrote:
>   Glad to post the config -- I am assuming you want the rules and not
> the whole thing (it' rather large)?  I figured out from the
> documentation and having used other firewalls the top to bottom
> filtering and in an effort to get it working, tried leaving out a
> deny rule altogether and it still wouldn't let anything through. 
> Anyway, here's the rules config: 
> 
>         <rule>
>             <type>pass</type>
>             <interface>lan</interface>
>             <protocol>tcp</protocol>
>             <source>
>                 <network>lan</network>
>                 <port>443</port>
>             </source>
>             <destination>
>                 <any/>
>                 <port>443</port>
>             </destination>
>             <descr>HTTPS Out (Allowed)</descr>
>         </rule>

I Snipped everything but this one to show your confusion. The source
port for traffic for most services is not the same as the destination
port. The web browser will choose a random port (I cant think w/o coffee
- don't remember the range) above 1024. The source port should be any.

         <rule>
             <type>pass</type>
             <interface>lan</interface>
             <protocol>tcp</protocol>
             <source>
                 <network>lan</network>
***note =>       <port>any</port>
             </source>
             <destination>
                 <any/>
                 <port>443</port>
             </destination>
             <descr>HTTPS Out (Allowed)</descr>
         </rule>

There are some services that the source port will be the same as the
destination port. I think DNS is one of these (note still no coffee...
Someone correct me please) my suggestion would be to make the source
port be "any" just to be safe.

_________________________________
James W. McKeand