[ previous ] [ next ] [ threads ]
 From:  sai <sonicsai at gmail dot com>
 To:  "Christoph Hanle" <christoph dot hanle at leinpfad dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Ping from WAN
 Date:  Tue, 21 Feb 2006 11:30:19 +0500
On 2/21/06, Christoph Hanle <christoph dot hanle at leinpfad dot de> wrote:
> Quark IT - Hilton Travis schrieb:
> > Hi Thomas,
> >
> > [...]
> > Yup, allowing ICMP Echo did the trick.  I still find it a bit weird that the default is to breaf
RFCs and there's no interface option to allow ping functionality.
> >
> Hi,
> Imho are some of the defaults not very fine:
> - HTTP as standard for accessing the webgui
> - accessing the webgui from the complete lan, better should be HTTPS and
> accessing from a single host.
> - allow all from lan to wan
> - allow all between the internal interfaces,
> - the deny icmp from WAN to waninterface
> On every m0n0 i create in the beginning theses rules ending with
> explicit deny-rules (logged, excluded WAN to wan-ip), then i start with
> allowed icmp, allowed DNS to the m0n0, not logged SMB-broadcasts and so
> on. If this is done, i start with the allow rules not logged.
> bye
> Christoph


yes I agree that the rules in production should be similar to yours,
but when I started using m0n0 I found it really easy to get going.
This, I think, is because the default was  Newbie friendly. If the
default had been like yours then I would have had lots of problems.