[ previous ] [ next ] [ threads ]
 
 From:  Alexander Schaber <uranellus at gmx dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall ruleset
 Date:  Sat, 13 May 2006 08:34:10 +0200
If I want to select the backbone as an destination, I cannot do this by 
choosing "wan address" on the screen? 'cause that would only permit 
traffic to the wan Address of m0n0, right?
>>    * Allowing Traffic from the classroom subnets (205,202,204,210) to
>> the backbone
> Put in an appropriate rule on each OPT interface permitting that IP
> subnet to the backbone network.
Alias: backbone = 192.168.0.0/24

type  interf  source  destination
pass  lan     lan     backbone
pass  opt1    opt1    backbone
pass  opt2    opt2    backbone
pass  opt3    opt3    backbone

>>    * Blocking Traffic between the subnets (e.g. 192.168.202.0/24 cannot
>>      access 192.168.168.204.0/24)
> In this case, you'll probably want to permit traffic to the Internet,
> so you'll probably want to end with a "permit any any" rule.  So, on
> each OPT interface, put in a permit rule for 192.168.0.0/24, then I'd
> put in a deny any to destination 192.168.0.0/16 after that (rules are
> first match, processed top to bottom).  Then follow that with a permit
> all any to any, if you need to let Internet access through (ideally
> you'd put a proxy server on your backbone subnet, and only allow the
> clients to talk to that proxy server, and let it talk out to the
> Internet).
type  interf  source  destination
deny  lan     lan     192.168.0.0/16
deny  opt1    opt1    192.168.0.0/16
deny  opt2    opt2    192.168.0.0/16
deny  opt3    opt3    192.168.0.0/16

I'll comment on the proxy later.
>>    * Allowing DNS, HTTP(S) from the WAN interface.
> Put in a firewall rule on the WAN allowing HTTPS from the appropriate
> source IP's.
type  interf  source    destination  prot     ports
pass  wan     backbone  wan address  tcp,udp  22,53,80,443
>> Is it a good idea to also NAT the classroom subnets 205,202,204,210 ?
> If your backbone network is indeed private IP's as you show, I would
> disable NAT on the m0n0wall in that picture (see the FAQ for info on
> that).
Alright, thanks :)
> -Chris
The complete table would look like (sorted by interface):

    type  interf  source    destination  prot     ports
---------------------------------------------------------------
    pass  lan     lan       backbone
    deny  lan     lan       192.168.0.0/16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    pass  opt1    opt1      backbone
    deny  opt1    opt1      192.168.0.0/16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    pass  opt2    opt2      backbone
    deny  opt2    opt2      192.168.0.0/16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    pass  opt3    opt3      backbone
    deny  opt3    opt3      192.168.0.0/16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    pass  opt1    opt1      backbone
    deny  opt1    opt1      192.168.0.0/16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    pass  wan     backbone  wan address  tcp,udp  22,53,80,443

Is it still possible to access m0n0walls Web Interface from all Subnets?


Concerning the proxy:

    We do have a proxy on the backbone (192.168.0.3), it's also in the
    picture :)

    Our teachers wanted to have the possibility to allow/deny access to
    the internet as well to the fileserver.

    I'm sure this it not the best way, but it was somewhat the easiest
    for me. I've changed the m0n0 source and build up my own m0n0 with
    some changed features:

        * Added a second (public) httpd with it's own files on port 80
          and moved the admin interface to https.
        * The teachers PCs get static ip's from m0n0.
        * On the public webinterface there is a authentification by ip.
          The teacher has the possibility to add / remove rules (Note:
          I'm using ipfw for this) in order to allow/deny traffic to the
          proxy or the fileserver. As they are the same pc (same IP) I'm
          blocking the specific ports for each service. The students
          only see a read-only version.
        * Also on the public webinterface there is a little file
          wpad.dat / proxy.pac which is served to the browsers
          throughout the network by DNS (m0n0 is aka wpad.our.domain)
          and by DHCP options. But WPAD is a story of its own
              o Just what it does: Telling the browser to use an direct
                for anything within the local network (192.168.0.0/16)
                and to use the proxy for any connection that goes
                somewhere else.

    I'm aware of the security wholes in this solution:

        * Of course, if students turn off the automatic proxy detection,
          they could be able to surf the web, but I'll probably add
          another rule denying traffic to the gateway, as there is no
          need of having a direct connection. I guess, this is what you
          already suggested.
        * If they assign themselves the teacher ip they could be able to
          access the r/w webinterface.

Many thanks and greetings
    Alexander Schaber