[ previous ] [ next ] [ threads ]
 From:  sai <sonicsai at gmail dot com>
 To:  "monowall at leinonen dot org" <monowall at leinonen dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Question about fw rules and interfaces.
 Date:  Fri, 17 Feb 2006 13:32:02 +0500
On 2/17/06, monowall at leinonen dot org <monowall at leinonen dot org> wrote:
> Hi all,
> I just setup my fw and i create some vlans. Now i have intresting
> situation for my fw rules and interfaces. Lets say that i have prodnet int
> and mgmtnet int, now i want to make fw rule that allows telnet and ssh
> from prodnet to mgmtnet and deny everything else. So my rules should be
> like this (i also want there is no limitations for prodnet traffic)?
> prodnet:
> Rule Proto Source  Port Destination Port
> Pass *     prodnet *    *           *
> mgmtnet:
> Rule Proto Source  Port Destination Port
> Pass TCP   prodnet *    mgmtnet     22
> Pass TCP   prodnet *    mgmtnet     23
> Deny *     *       *    *           *
> But now some reason i can take eg http session from prodnet to mgmtnet. Is
> there some limitations for filtering or do i missunderstand something?
> I running 1.21 version.
> Best regards,
> Ville Leinonen

My understanding is that the first firewall rule to match a packet
gets applied.
The packet that comes in on the 'prodnet' interface will match the
first rule above and so be 'pass'ed. It will not be filtered again
when it gets to the 'mgmtnet' interface.