[ previous ] [ next ] [ threads ]
 From:  dave morgan <morgad at eclipse dot co dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Anti-spoof rules preventing routing other subnets
 Date:  Tue, 18 Apr 2006 21:29:32 +0100
On Tue, 18 Apr 2006 13:09:05 -0500, cdillon at wolves dot k12 dot mo dot us wrote:

>Looking through status.php at the generated ipfilter ruleset, I see  
>that the anti-spoof rules come before the user rules, is there any  
>particular reason for that?  It would be nice if they came after the  
>user rules since the user would be
>allowed to create his own rules to allow other subnets to be routed
>through that interface.  In absence of those rules the default would
>still be to deny spoofs.  If that isn't possible, maybe an option to
>disable the anti-spoof rules entirely.
>I'm not even sure the anti-spoof rules are necessary under normal
>circumstances, as long as the user creates rules with "INTERFACE
>subnet" as the source (maybe make this the default source for new  
>rules?) instead
>of "any" then spoofed packets would be dropped by the default deny

Can I add a 'Me too' ?

I am getting hit by this causing my logs to be filled with entries from
my Samba server giving lots of entries like this (slightly edited) -

LAN, port 138, port 138 	UDP

The only machine on my LAN has address, but the Samba server
that runs on it appears to be using a different IP address as well.

The first rule in my LAN chain is to drop all traffic from this address
and not log it. But of course the fixed rule runs first and logs it!

Could we at least have the *all* the rules displayed on the firewall pages,
even those we cannot edit? Similar to the way the block private networks
option works, so we don't have to dive into the status.php page to work out 
why things are not working as expected.

best regards
http://www.morgad.no-ip.info/index.html    gpg:0x64B5E037 
Distributed Proofreaders: http://www.pgdp.net
The NTP server pool http://www.pool.ntp.org