|
||||||||
Yes i agree, because firewalls works that way, but if packet comes in one interface it should be checked for that interface/network fw rule set and when it comes out some other interface it should be checked also that interface/network fw rule set. This it should be if you have many "tabs" for your Firewall: Rules page other vice only on pages should be enough (eg. checkpoint). This "tab" way it is quite difficult to manage your rule set if you have multiple interface. Br, Ville sai wrote: > On 2/17/06, monowall at leinonen dot org <monowall at leinonen dot org> wrote: > >> Hi all, >> >> I just setup my fw and i create some vlans. Now i have intresting >> situation for my fw rules and interfaces. Lets say that i have prodnet int >> and mgmtnet int, now i want to make fw rule that allows telnet and ssh >> from prodnet to mgmtnet and deny everything else. So my rules should be >> like this (i also want there is no limitations for prodnet traffic)? >> >> prodnet: >> Rule Proto Source Port Destination Port >> Pass * prodnet * * * >> >> mgmtnet: >> Rule Proto Source Port Destination Port >> Pass TCP prodnet * mgmtnet 22 >> Pass TCP prodnet * mgmtnet 23 >> Deny * * * * * >> >> But now some reason i can take eg http session from prodnet to mgmtnet. Is >> there some limitations for filtering or do i missunderstand something? >> I running 1.21 version. >> >> Best regards, >> >> Ville Leinonen >> >> > > My understanding is that the first firewall rule to match a packet > gets applied. > The packet that comes in on the 'prodnet' interface will match the > first rule above and so be 'pass'ed. It will not be filtered again > when it gets to the 'mgmtnet' interface. > > sai > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |