Re: [m0n0wall] Ping from WAN

From:	sai <sonicsai at gmail dot com>
To:	"Christoph Hanle" <christoph dot hanle at leinpfad dot de>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Ping from WAN
Date:	Tue, 21 Feb 2006 11:30:19 +0500

On 2/21/06, Christoph Hanle <christoph dot hanle at leinpfad dot de> wrote:
> Quark IT - Hilton Travis schrieb:
> > Hi Thomas,
> >
> > [...]
> > Yup, allowing ICMP Echo did the trick.  I still find it a bit weird that the default is to breaf
RFCs and there's no interface option to allow ping functionality.
> >
> Hi,
> Imho are some of the defaults not very fine:
> - HTTP as standard for accessing the webgui
> - accessing the webgui from the complete lan, better should be HTTPS and
> accessing from a single host.
> - allow all from lan to wan
> - allow all between the internal interfaces,
> - the deny icmp from WAN to waninterface
>
> On every m0n0 i create in the beginning theses rules ending with
> explicit deny-rules (logged, excluded WAN to wan-ip), then i start with
> allowed icmp, allowed DNS to the m0n0, not logged SMB-broadcasts and so
> on. If this is done, i start with the allow rules not logged.
>
> bye
> Christoph

Christoph,

yes I agree that the rules in production should be similar to yours,
but when I started using m0n0 I found it really easy to get going.
This, I think, is because the default was  Newbie friendly. If the
default had been like yours then I would have had lots of problems.

sai