[ previous ] [ next ] [ threads ]
 
 From:  Christoph Hanle <christoph dot hanle at leinpfad dot de>
 To:  Alexander Schaber <uranellus at gmx dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall ruleset
 Date:  Sat, 13 May 2006 14:42:41 +0200
Alexander Schaber schrieb:
reffering also to my PM,
[...]

> The complete table would look like (sorted by interface):
> 
>    type  interf  source    destination  prot     ports
> ---------------------------------------------------------------
>    pass  lan     lan       backbone
>    deny  lan     lan       192.168.0.0/16

my solution:

1.   pass  lan     lan       0.0.0.0     ICMP
2.   pass  lan     AdminPC   192.168.205.1 TCP      443
3.   pass  lan     lan       192.168.205.1 TCP       80
4.   pass  lan     lan       192.168.205.1 UDP       53
5.   pass  lan     lan       192.168.205.1 UDP       S67-D68
6.   pass  lan     lan       192.168.205.1 UDP       137/138
7.   deny  lan     lan       192.168.205.1 all      all /log
8.   pass  lan     lan       192.168.0.3   TCP      mail/proxy/file
9.   deny  lan     lan	     192.168.0.3   TCP       80 / no log
10.   pass  lan     AdminPC   all Switches           Management		
11.  deny  lan     lan       0.0.0.0       all      all /log

Description:
1. ICMP is imho a must.
2. Allow full mangament of the firewall only from a dedicated PC
3. HTTP (WCAP)
4. DNS
5. DHCP
6. Netbios Broacast should not be in the logfiles
7. the last rule for access on firewall
8. allowed access to server, create all rules
9. WinXP uses sometimes port 80 for netbios, not used, but do not log.
10. if you use managed switches, create all rules
11. last rule
	
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>    pass  opt1    opt1      backbone
>    deny  opt1    opt1      192.168.0.0/16
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>    pass  opt2    opt2      backbone
>    deny  opt2    opt2      192.168.0.0/16
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>    pass  opt3    opt3      backbone
>    deny  opt3    opt3      192.168.0.0/16
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>    pass  opt1    opt1      backbone
>    deny  opt1    opt1      192.168.0.0/16
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
see lan-rules

>    pass  wan     backbone  wan address  tcp,udp  22,53,80,443

Oh no, use:
      deny  wan    0.0.0.0 all /log

On your server 192.168.0.3 use 192.168.0.2 as gateway and create static 
routes to LAN1, OPT1, OPT2, OPT3 to 192.168.0.100.
Maybe that you have also to create static routes on your gateway.
> 
> Is it still possible to access m0n0walls Web Interface from all Subnets?
Yes, you have to create adequate rules, see rules 2 and 3.

[..]

I see a big problem with m0n0wall for your usage:
File-access through m0n0 to 192.1268.0.3
You will never reach the performance like using a switch or a "real" 
router. A must are NICs from Intel or 3com and a prozessor P4 1,6 or 
better. Test this before going live.

bye
Christoph

> Many thanks and greetings
>    Alexander Schaber
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>