[ previous ] [ next ] [ threads ]
 
 From:  "Jason Collins" <jason at mammothcomputers dot com>
 To:  "'Christoph Hanle'" <christoph dot hanle at leinpfad dot de>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Would like to filter outbound traffic for corporate security purposes but my rules don't seem to work
 Date:  Sat, 12 Nov 2005 06:17:06 -0600
My apologies, Christoph.  I didn't thoroughly read through the rules at the
bottom (I haven't had much sleep and no coffee).  I understand from your
second rule (the "or" rule) what I was doing wrong.  I made the changes you
suggested and it seems to be working properly.  That was what I needed.
Thank you all very much for your help!

Jason

-----Original Message-----
From: Christoph Hanle [mailto:christoph dot hanle at leinpfad dot de] 
Sent: Saturday, November 12, 2005 5:47 AM
To: Jason Collins
Subject: Re: [m0n0wall] Would like to filter outbound traffic for corporate
security purposes but my rules don't seem to work

Hi Jason,
i think you have not really understand the funktion of using ports an
firewalling them:
for example if you want to allow http to outside:
your browser uses a random port between 1024-65535 (source) to access the
server on port 80 (destination). The correct rule is:

<rule>
              <type>pass</type>
              <interface>lan</interface>
              <protocol>tcp</protocol>
              <source>
                  <network>lan</network>
                  <port>1024-65535</port>
                        ^^^^^^^^^^
or
                 <port>any</port>
                        ^^^
              </source>
              <destination>
                  <any/>
                  <port>80</port>
              </destination>
              <descr>HTTP Out (Allowed)</descr>
          </rule>

Change your rules.
P.S.
allow DNS only to the DNS from your provider

Bye
Christoph


Jason Collins schrieb:
>   Glad to post the config -- I am assuming you want the rules and not 
> the whole thing (it' rather large)?  I figured out from the 
> documentation and having used other firewalls the top to bottom 
> filtering and in an effort to get it working, tried leaving out a deny 
> rule altogether and it still wouldn't let anything through.  Anyway,
here's the rules config:
> 
>        <rule>
>             <type>pass</type>
>             <interface>lan</interface>
>             <protocol>tcp</protocol>
>             <source>
>                 <network>lan</network>
>                 <port>53</port>
>             </source>
>             <destination>
>                 <any/>
>                 <port>53</port>
>             </destination>
>             <descr>DNS Out (Allowed)</descr>
>         </rule>
>         <rule>
>             <type>pass</type>
>             <interface>lan</interface>
>             <protocol>tcp</protocol>
>             <source>
>                 <network>lan</network>
>                 <port>80</port>
>             </source>
>             <destination>
>                 <any/>
>                 <port>80</port>
>             </destination>
>             <descr>HTTP Out (Allowed)</descr>
>         </rule>
>         <rule>
>             <type>pass</type>
>             <interface>lan</interface>
>             <protocol>tcp</protocol>
>             <source>
>                 <network>lan</network>
>                 <port>443</port>
>             </source>
>             <destination>
>                 <any/>
>                 <port>443</port>
>             </destination>
>             <descr>HTTPS Out (Allowed)</descr>
>         </rule>
>         <rule>
>             <type>pass</type>
>             <interface>lan</interface>
>             <protocol>tcp</protocol>
>             <source>
>                 <network>lan</network>
>                 <port>21</port>
>             </source>
>             <destination>
>                 <any/>
>                 <port>21</port>
>             </destination>
>             <descr>FTP Out (Allowed)</descr>
>         </rule>
>         <rule>
>             <type>pass</type>
>             <interface>lan</interface>
>             <protocol>tcp</protocol>
>             <source>
>                 <network>lan</network>
>                 <port>123</port>
>             </source>
>             <destination>
>                 <any/>
>                 <port>123</port>
>             </destination>
>             <descr>NIST Time Out (Allowed)</descr>
>         </rule>
>         <rule>
>             <type>pass</type>
>             <interface>lan</interface>
>             <protocol>tcp/udp</protocol>
>             <source>
>                 <address>192.168.1.250</address>
>                 <port>25</port>
>             </source>
>             <destination>
>                 <any/>
>             </destination>
>             <descr>SMTP Server Only Out (allowed)</descr>
>         </rule>
>         <rule>
>             <type>pass</type>
>             <interface>lan</interface>
>             <protocol>tcp/udp</protocol>
>             <source>
>                 <address>192.168.1.250</address>
>                 <port>110</port>
>             </source>
>             <destination>
>                 <any/>
>             </destination>
>             <descr>POP3 Server Only Out (Allowed)</descr>
>         </rule>
>         <rule>
>             <type>pass</type>
>             <interface>lan</interface>
>             <protocol>icmp</protocol>
>             <source>
>                 <address>192.168.1.1</address>
>             </source>
>             <destination>
>                 <any/>
>             </destination>
>             <descr>ICMP Out from Gateway (allowed)</descr>
>         </rule>
>         <rule>
>             <type>block</type>
>             <interface>lan</interface>
>             <source>
>                 <network>lan</network>
>             </source>
>             <destination>
>                 <any/>
>             </destination>
>             <disabled/>
>             <descr>Default Out (Blocked) -- Must be last rule in 
> list</descr>
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

--
last words:
"let's make the backup tomorrow"