On 2/21/06, Christoph Hanle <christoph dot hanle at leinpfad dot de> wrote:
> Quark IT - Hilton Travis schrieb:
> > Hi Thomas,
> > [...]
> > Yup, allowing ICMP Echo did the trick. I still find it a bit weird that the default is to breaf
RFCs and there's no interface option to allow ping functionality.
> Imho are some of the defaults not very fine:
> - HTTP as standard for accessing the webgui
> - accessing the webgui from the complete lan, better should be HTTPS and
> accessing from a single host.
> - allow all from lan to wan
> - allow all between the internal interfaces,
> - the deny icmp from WAN to waninterface
> On every m0n0 i create in the beginning theses rules ending with
> explicit deny-rules (logged, excluded WAN to wan-ip), then i start with
> allowed icmp, allowed DNS to the m0n0, not logged SMB-broadcasts and so
> on. If this is done, i start with the allow rules not logged.
yes I agree that the rules in production should be similar to yours,
but when I started using m0n0 I found it really easy to get going.
This, I think, is because the default was Newbie friendly. If the
default had been like yours then I would have had lots of problems.