Re: [m0n0wall] LAN/WISP block or WAN block ?

From:	krt <kkrrtt at gmail dot com>
To:	Bob Young <bob at lavamail dot net>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] LAN/WISP block or WAN block ?
Date:	Sun, 30 Jul 2006 22:41:26 -0700

Rules are for inbound to the interface only.

You can simplify the rules that you have by blocking all sources to UDP 
1900 on each interface.

Instead of applying this to your WISP interface:
Block | UDP | WISP net | * | * | 1900 | Block UPnP

Just apply this:
Block | UDP | * | * | * | 1900 | Block UPnP

The same goes for your LAN interface.

This simplifies the sorting that must go on with the rule before it's 
processed, and it prevents randomly IP'd machines (say, in martian 
subnets) from broadcasting stuffs outbound.



You might want to have these rules at the bottom of any local interface, 
since the policy is to default deny anyways:

WISP Interface:
Penultimate) Permit | ANY | WISP net | * | * | * | Permit WISP Net Out

Ultimate) Block and Log  | ANY | * | * | * | * | Beware all packets ye 
who enter here



LAN Interface:
Penultimate) Permit | ANY | LAN | * | * | * | Permit LAN Out

Ultimate) Block and Log  | ANY | * | * | * | * | Beware all packets ye 
who enter here


Bob Young wrote:
> I have a LAN port, a WISP port, and a WAN port on my WRAP 1E-2 board.
> 
> For the firewall, on each of my LAN and WISP Interfaces I have the following
> rule (except for the LAN, I have "LAN net", in place of "WISP net"):
> 
> UDP | WISP net | * | * | 1900 | Block UPnP 
> 
> 
> Can this rule be put on the WAN interface to stop outgoing UPnP data on port
> 1900 from the LAN and WISP interfaces, with just one rule?
> 
> If so, would the following rule be correct for a WAN rule ?
> 
> 
> 
> UDP | * | * | * | 1900 | Block UPnP
> 
> Maybe since I'm using "*" for both source and destination, maybe it will
> work for both incoming and outgoing on both the LAN and WISP interfaces?
> 
> 
> Thanks much,
> 
>