[ previous ] [ next ] [ threads ]
 
 From:  "Bob Young" <bob at lavamail dot net>
 To:  "'krt'" <kkrrtt at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] LAN/WISP block or WAN block ?
 Date:  Mon, 31 Jul 2006 10:55:05 -0400
Hi krt:

Thank you so much for your help:

I didn't know that the firewall blocking rules were inbound only to the
interface.  

I'm just learning Monowall firewall, and I had someone on a forum tell me
that I could apply an outgoing firewall rule on the M0n0wall WAN port (in
order to save on the number of rules on my LAN and WISP ports).  His idea to
save on the number of rules sure sounded good, but it looks like he was
wrong.

I understand from you that trying to put an outbound firewall rule on the
WAN port won't work.  I wonder if other firewalls allow outbound rules to
the WAN ports?  Probably not.  

I thank you for letting me know M0n0wall rules are for inbound to the
interface only.

I will do outbound destination blocking to port 1900, by making use of
inbound blocking on the LAN and WISP interfaces.  I'll also make use of the
"*" for my source I address (in order to simplify the sorting). That sounds
like a very good idea.

Port 1900 blocking was just an example.  I'm going to also be blocking ports
445,135-139,593 and 5000...I understand data flowing to these ports can be
detrimental to my network.  Is there a list that is frequently updated in
order for people to know what ports to block outbound?  I figure more bad
ports can pop up and people may not know to block them, unless there is a
recent accurate list.

Thank you krt for your reply,

Bob Young

P.S.  The more I learn about M0n0wall, the more I like it.

-----Original Message-----
From: krt [mailto:kkrrtt at gmail dot com] 
Sent: Monday, July 31, 2006 1:41 AM
To: Bob Young
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] LAN/WISP block or WAN block ?

Rules are for inbound to the interface only.

You can simplify the rules that you have by blocking all sources to UDP 
1900 on each interface.

Instead of applying this to your WISP interface:
Block | UDP | WISP net | * | * | 1900 | Block UPnP

Just apply this:
Block | UDP | * | * | * | 1900 | Block UPnP

The same goes for your LAN interface.

This simplifies the sorting that must go on with the rule before it's 
processed, and it prevents randomly IP'd machines (say, in martian 
subnets) from broadcasting stuffs outbound.



You might want to have these rules at the bottom of any local interface, 
since the policy is to default deny anyways:

WISP Interface:
Penultimate) Permit | ANY | WISP net | * | * | * | Permit WISP Net Out

Ultimate) Block and Log  | ANY | * | * | * | * | Beware all packets ye 
who enter here



LAN Interface:
Penultimate) Permit | ANY | LAN | * | * | * | Permit LAN Out

Ultimate) Block and Log  | ANY | * | * | * | * | Beware all packets ye 
who enter here


Bob Young wrote:
> I have a LAN port, a WISP port, and a WAN port on my WRAP 1E-2 board.
> 
> For the firewall, on each of my LAN and WISP Interfaces I have the
following
> rule (except for the LAN, I have "LAN net", in place of "WISP net"):
> 
> UDP | WISP net | * | * | 1900 | Block UPnP 
> 
> 
> Can this rule be put on the WAN interface to stop outgoing UPnP data on
port
> 1900 from the LAN and WISP interfaces, with just one rule?
> 
> If so, would the following rule be correct for a WAN rule ?
> 
> 
> 
> UDP | * | * | * | 1900 | Block UPnP
> 
> Maybe since I'm using "*" for both source and destination, maybe it will
> work for both incoming and outgoing on both the LAN and WISP interfaces?
> 
> 
> Thanks much,
> 
>