[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall ruleset
 Date:  Fri, 12 May 2006 23:11:59 -0400
On 5/12/06, Alexander Schaber <uranellus at gmx dot net> wrote:
> But I'm not exactly sure how to set up the firewall rule on the m0n0 box
> set in order to fit my needs:
>    * Allowing Traffic from the classroom subnets (205,202,204,210) to
> the backbone

Put in an appropriate rule on each OPT interface permitting that IP
subnet to the backbone network.

>    * Blocking Traffic between the subnets (e.g. cannot
>      access

In this case, you'll probably want to permit traffic to the Internet,
so you'll probably want to end with a "permit any any" rule.  So, on
each OPT interface, put in a permit rule for, then I'd
put in a deny any to destination after that (rules are
first match, processed top to bottom).  Then follow that with a permit
all any to any, if you need to let Internet access through (ideally
you'd put a proxy server on your backbone subnet, and only allow the
clients to talk to that proxy server, and let it talk out to the

>    * Allowing DNS, HTTP(S) from the WAN interface.

Put in a firewall rule on the WAN allowing HTTPS from the appropriate
source IP's.

> Is it a good idea to also NAT the classroom subnets 205,202,204,210 ?

If your backbone network is indeed private IP's as you show, I would
disable NAT on the m0n0wall in that picture (see the FAQ for info on