[ previous ] [ next ] [ threads ]
 
 From:  Alexander Schaber <uranellus at gmx dot net>
 To:  Christoph Hanle <christoph dot hanle at leinpfad dot de>, cbuechler at gmail dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall ruleset
 Date:  Wed, 17 May 2006 20:31:56 +0200
Thank you very much for your proposes!

After considering the two possibilities and checking them for usability 
and flexibility we've decided to use the following configuration.
I am aware of the less security than in Christoph's solution.

Note: backbone = alias for 192.168.0.0/24

LAN, OPT1, OPT2, OPT3:

    pass any from <if subnet> to <if subnet>
    pass any from <if subnet> to backbone
    reject any from <if subnet> to ! backbone (log)

WAN

    pass any from backbone to backbone
    reject any from backbone to ! backbone (log)

Just to make sure that everything what we need is included:

    * Block access from one subnet to any other than backbone
    * Block direct access to the Internet (only through proxy that lies
      in the backbone)
    * Allow all traffic within subnets or to the backbone

Two last questions, with the current rule set:

    * Is there a chance of getting from the Internet through to one of
      the "inner subnets" (e.g. lan, opt1-3)? With other words, are the
      inner subnets more or less protected?
    * Is there a chance of getting from one subnet into another? (I've
      tried some simple tests and they were positive by the means of I
      couldn't get through). I guess the second question somehow
      includes the first one.


Thank you once again for your support,

greetings
    Alexander Schaber