[ previous ] [ next ] [ threads ]
 From:  Christoph Hanle <christoph dot hanle at leinpfad dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Ping from WAN
 Date:  Tue, 21 Feb 2006 07:20:04 +0100
Quark IT - Hilton Travis schrieb:
> Hi Thomas,
> [...]
> Yup, allowing ICMP Echo did the trick.  I still find it a bit weird that the default is to breaf
RFCs and there's no interface option to allow ping functionality.
Imho are some of the defaults not very fine:
- HTTP as standard for accessing the webgui
- accessing the webgui from the complete lan, better should be HTTPS and 
accessing from a single host.
- allow all from lan to wan
- allow all between the internal interfaces,
- the deny icmp from WAN to waninterface

On every m0n0 i create in the beginning theses rules ending with 
explicit deny-rules (logged, excluded WAN to wan-ip), then i start with 
allowed icmp, allowed DNS to the m0n0, not logged SMB-broadcasts and so 
on. If this is done, i start with the allow rules not logged.

> --
> Regards,
> Hilton Travis                          Phone: +61 (0)7 3344 3889
> (Brisbane, Australia)                  Phone: +61 (0)419 792 394
> Manager, Quark IT                      http://www.quarkit.com.au
>          Quark AudioVisual             http://www.quarkav.net
> http://www.threatcode.com/ <-- its now time to shame poor coders 
> into writing code that is acceptable for use on today's networks
> War doesn't determine who is right.  War determines who is left.
> This document and any attachments are for the intended recipient 
>   only.  It may contain confidential, privileged or copyright  
>      material which must not be disclosed or distributed.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

last words:
"let's make the backup tomorrow"