[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall ruleset
 Date:  Fri, 12 May 2006 23:11:59 -0400
On 5/12/06, Alexander Schaber <uranellus at gmx dot net> wrote:
>
> But I'm not exactly sure how to set up the firewall rule on the m0n0 box
> set in order to fit my needs:
>
>    * Allowing Traffic from the classroom subnets (205,202,204,210) to
> the backbone

Put in an appropriate rule on each OPT interface permitting that IP
subnet to the backbone network.


>    * Blocking Traffic between the subnets (e.g. 192.168.202.0/24 cannot
>      access 192.168.168.204.0/24)

In this case, you'll probably want to permit traffic to the Internet,
so you'll probably want to end with a "permit any any" rule.  So, on
each OPT interface, put in a permit rule for 192.168.0.0/24, then I'd
put in a deny any to destination 192.168.0.0/16 after that (rules are
first match, processed top to bottom).  Then follow that with a permit
all any to any, if you need to let Internet access through (ideally
you'd put a proxy server on your backbone subnet, and only allow the
clients to talk to that proxy server, and let it talk out to the
Internet).


>    * Allowing DNS, HTTP(S) from the WAN interface.
>

Put in a firewall rule on the WAN allowing HTTPS from the appropriate
source IP's.


> Is it a good idea to also NAT the classroom subnets 205,202,204,210 ?
>

If your backbone network is indeed private IP's as you show, I would
disable NAT on the m0n0wall in that picture (see the FAQ for info on
that).

 -Chris