Re: [m0n0wall] Blocking a Single IP from accessing the Internet

From:	Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Blocking a Single IP from accessing the Internet
Date:	Tue, 24 Jan 2006 01:18:10 +0100

Sean

Rules are proccessed top-down and exit-on-match.

The wrong way:
rule x:		permit TCP/UDP source any port any to destination port 80
rule x+1:	deny TCP source x.x.x.x port any to destination port 80

The first rule allows anyone to access whatever webserver, the IP you want to 
deny will also match the first rule and exit. Therefore your second rule will 
never match.

The right way:
rule x:		deny TCP source x.x.x.x port any to destination port 80
rule x+1:	permit TCP/UDP source any port any to destination port 80

In this case the IP to deny will match and exit on the first rule and be denied.
All other will not match the first rule but the second and will be allowed.

Keep this in mind and you will have clean rules !

Daniele

Sean Logan wrote:
> I'm having problems trying to prevent an internal PC from using the internet
> via port 80. I've tried
> 
> creating a rule but nothing has worked so far. Is there a specific order or
> way I should create this rule?
> 
>  
> 
>  
> 
>  
> 
> 

-- 



	best regards

------------------------------------------------------------------
Daniele Guazzoni
Senior Network Engineer, CCNA, CCNP

Ackersteinstrasse 203
CH-8049 Zurich
------------------------------------------------------------------
"Destiny is not a matter of chance, it is a matter of choice;
it is not a thing to be waited for, it is a thing to be achieved."
					William Jennings Bryan

GPG Fingerprint: 46EF FB0A A405 659F FB63 860B 6059 7A22 F58E 830E


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.