Re: [m0n0wall] Setting up NAT or FireWall-Rules

From:	sai <sonicsai at gmail dot com>
To:	"simon dot vetterli at hotelplan dot ch" <simon dot vetterli at hotelplan dot ch>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Setting up NAT or FireWall-Rules
Date:	Fri, 3 Mar 2006 10:43:14 +0500

On 3/1/06, simon dot vetterli at hotelplan dot ch <simon dot vetterli at hotelplan dot ch> wrote:
> Hi
>
> Behind my m0n0Wall, I have a CardTerminal (for paying with cards).
> From the vendor I get alist of IP-Adresses and port, wich this terminal have to communicate.
>
> How do I set this on my m0n0wall.
>
> From outside my m0n0Wall, I have an ip-address from my ISP.
>
> Kind Regards.
>
> Simon Vetterli
> IC-Berater Informatik Hotelplan
>
> Hotelplan AG
> Internationale Reiseorganisation
> Sägereistrasse 20
> CH-8152 Glattbrugg
> Tel:    +41 43 211 79 56
> Fax:    +41 43 222 96 14
> mailto:simon dot vetterli at hotelplan dot ch
> http://www.hotelplan.ch
>

If the terminal is going to initiate connections then the default
firewall rules will allow it to do so.

If you want to be secure in your config then you should only allow the
terminal access to the ip addresses indicated by the bank.

The default LAN rule looks like this:
Proto  	Source  	Port  	Destination  	Port  	Description  	
	* 	LAN net 	* 	* 	* 	allow all

Your terminal rule would replace that and have rules like:
Proto  	      Source  	    Port  	Destination  	Port  	Description  	
TCP/UDP  term.ip.add.r 	*          BANK.ip.ad.dr  bank-port	CardTeminal

 If the Bank needs to connect to the terminal (to maybe update the
software )  then the firewall will block it and you will need to set
the terminal up as a server with NAT etc. See DMZ docs for that.

sai