|
||||||||
On 5/12/06, Alexander Schaber <uranellus at gmx dot net> wrote: > > But I'm not exactly sure how to set up the firewall rule on the m0n0 box > set in order to fit my needs: > > * Allowing Traffic from the classroom subnets (205,202,204,210) to > the backbone Put in an appropriate rule on each OPT interface permitting that IP subnet to the backbone network. > * Blocking Traffic between the subnets (e.g. 192.168.202.0/24 cannot > access 192.168.168.204.0/24) In this case, you'll probably want to permit traffic to the Internet, so you'll probably want to end with a "permit any any" rule. So, on each OPT interface, put in a permit rule for 192.168.0.0/24, then I'd put in a deny any to destination 192.168.0.0/16 after that (rules are first match, processed top to bottom). Then follow that with a permit all any to any, if you need to let Internet access through (ideally you'd put a proxy server on your backbone subnet, and only allow the clients to talk to that proxy server, and let it talk out to the Internet). > * Allowing DNS, HTTP(S) from the WAN interface. > Put in a firewall rule on the WAN allowing HTTPS from the appropriate source IP's. > Is it a good idea to also NAT the classroom subnets 205,202,204,210 ? > If your backbone network is indeed private IP's as you show, I would disable NAT on the m0n0wall in that picture (see the FAQ for info on that). -Chris |