[ previous ] [ next ] [ threads ]
 
 From:  "Bob Young" <bob at lavamail dot net>
 To:  "'krt'" <kkrrtt at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: FW: [m0n0wall] LAN/WISP block or WAN block ?
 Date:  Tue, 1 Aug 2006 23:19:46 -0400
Hi krk:

I'll be glad to help you with the little WiFi knowledge I have.  All my WiFi
installs have gone real well.  The largest is a 211 room hotel, with big
pool area and 4 big floors of meeting rooms.  I put 11 APs in there.  It is
operating very stable.  

I have done about 45 hotel site surveys.  The site survey is super
important.  I might be able to give you a few tips there.

Thank you so much for your info on Monowall.

Everyone that I have met on the Monowall lists have been real nice to me.
Thanks to everybody.

Bob

-----Original Message-----
From: krt [mailto:kkrrtt at gmail dot com] 
Sent: Tuesday, August 01, 2006 10:15 PM
To: Bob Young
Subject: Re: FW: [m0n0wall] LAN/WISP block or WAN block ?

Almost all of them are rule based.  Some get more granular, some let you 
apply them differently, some are quite fancy and depend more upon the 
routing table than specific interfaces, though there are times when it's 
handy to do specific interfaces instead of based off routes...

I'm still figuring out the traffic shaper, but it seems to be packet 
flow based (in and out) versus just in only.

Almost all traffic shaping is done on the WAN interface (your VOIP 
traffic goes over the internet, right?)

I might just ping you on the hotel/wifi thing - I've done a few 
installs, but none of them go terribly well.  Maybe that's just par for 
the course...


Bob Young wrote:
> Hi krk:
> 
> Thank you for your reply.
> 
> This Monowall is so much fun.  Although learning Monowall is taking me a
> while...lol.  I did print out the whole manual.  I take it to bed and read
> myself to sleep...lol.
> 
> Are most other high end firewalls rules based, like Monowall ?
> 
> This week I'm going to be tackling the Traffic Shaper.  Is Traffic Shaper
> also "inbound to the interface" like the firewall rules are?  I'm not so
> sure it is, since I see that "any, in, and out" is in the "direction"
choice
> for Traffic Shaper. 
> 
> For instance I was going to prioritize my outgoing VoIP.  My VoIP
telephone
> adapter is into my LAN interface.  But I saw on the Monowall web site I
saw
> an example for outgoing VoIP, showing WAN as the interface...not LAN.
That
> has me confused.
> 
> Thank you so much for your assistance.  If I can ever help you in
regarding
> information for wireless, feel free to ask.  I have done some WIFi in
> hotels, and know a little regarding WISP APs.  I have also worked with
> antennas for a long time.  So if I can ever help you, feel free to ask.
> 
> Thanks much,
> 
> Bob Young
> Mechanicsburg, PA 
> 
> -----Original Message-----
> From: krt [mailto:kkrrtt at gmail dot com] 
> Sent: Tuesday, August 01, 2006 1:23 PM
> To: Bob Young
> Subject: Re: FW: [m0n0wall] LAN/WISP block or WAN block ?
> 
> Dude, no big.
> 
> I've been doing firewalls in the pay-for-world for quite some time - 
> almost a decade now.
> 
> Thanks for the reply - much appreciated.
> 
> The best way to talk to a bunch of us is on irc.  I tend to skim the 
> mailing list and rarely touch the forums.  (I usually use the the forums 
> to research a problem).  We hang on #pfsense and #m0n0wall on freenode
> 
> The easy way to be sure about what I'm saying (which is what I did to be 
> sure that I was saying it, I sometimes get firewalls confused):
> 
> 1) Ping a web site that you wont mind missing for your test.  Like, 
> www.toysrus.com  - don't dispair if it doesn't ping, that's not what 
> you're after.  You want the IP address.  Ping is just the quickest way 
> to get that, imo :-).
> 
> 2) Take the IP address and make a rule on your WAN side that blocks tcp 
> port 80 (http) access to that IP.
> 
> 3) Put that IP in your browser, assuming that you're behind the 
> firewall, and try to hit it.  You should be able to.
> 
> 4) Try the rule the other way, were the toysrus.com IP is the source, 
> source port is 80 and the destination IP/ports are any.  It should still 
>   work, though I didn't try this one.
> 
> Why does it work?
> 
> a) The rules are inbound only right now - maybe they'll add outbound.
> 
> b) The rules are stateful.  The item in 4 should work because it's 
> looking for a new session to block.  It's unlikely that toysrus.com will 
> be connecting to you, especially with a source port of tcp 80.  The rule 
> shouldn't block your existing (initiated from the inside) toysrus.com IP 
> web session.
> 
> 
> 
> Bob Young wrote:
>> Hi krk:
>>
>> May I humbly ask are you pretty sure about: "Rules are for inbound to the
>> interface only."  
>>
>> Reason I ask is I have had a couple people agree with you, and a couple
>> other people on another forum say they thought I could put the rule on
the
>> WAN port.  
>>
>> I'm a firewall newbie, so I get confused with conflicting answers...lol.
>>
>> I'm very inclined to think you are correct...especially since you are
from
>> the Monowall forum.  I don't yet know the different people on the forum
>> here.
>>
>> I don't mean to be disrespectful with my question.  I do appreciate your
>> kind help.
>>
>> Regards,
>>
>> Bob Young
>>
>> -----Original Message-----
>> From: Bob Young [mailto:bob at lavamail dot net] 
>> Sent: Monday, July 31, 2006 10:55 AM
>> To: 'krt'
>> Cc: 'm0n0wall at lists dot m0n0 dot ch'
>> Subject: RE: [m0n0wall] LAN/WISP block or WAN block ?
>>
>> Hi krt:
>>
>> Thank you so much for your help:
>>
>> I didn't know that the firewall blocking rules were inbound only to the
>> interface.  
>>
>> I'm just learning Monowall firewall, and I had someone on a forum tell me
>> that I could apply an outgoing firewall rule on the M0n0wall WAN port (in
>> order to save on the number of rules on my LAN and WISP ports).  His idea
> to
>> save on the number of rules sure sounded good, but it looks like he was
>> wrong.
>>
>> I understand from you that trying to put an outbound firewall rule on the
>> WAN port won't work.  I wonder if other firewalls allow outbound rules to
>> the WAN ports?  Probably not.  
>>
>> I thank you for letting me know M0n0wall rules are for inbound to the
>> interface only.
>>
>> I will do outbound destination blocking to port 1900, by making use of
>> inbound blocking on the LAN and WISP interfaces.  I'll also make use of
> the
>> "*" for my source I address (in order to simplify the sorting). That
> sounds
>> like a very good idea.
>>
>> Port 1900 blocking was just an example.  I'm going to also be blocking
> ports
>> 445,135-139,593 and 5000...I understand data flowing to these ports can
be
>> detrimental to my network.  Is there a list that is frequently updated in
>> order for people to know what ports to block outbound?  I figure more bad
>> ports can pop up and people may not know to block them, unless there is a
>> recent accurate list.
>>
>> Thank you krt for your reply,
>>
>> Bob Young
>>
>> P.S.  The more I learn about M0n0wall, the more I like it.
>>
>> -----Original Message-----
>> From: krt [mailto:kkrrtt at gmail dot com] 
>> Sent: Monday, July 31, 2006 1:41 AM
>> To: Bob Young
>> Cc: m0n0wall at lists dot m0n0 dot ch
>> Subject: Re: [m0n0wall] LAN/WISP block or WAN block ?
>>
>> Rules are for inbound to the interface only.
>>
>> You can simplify the rules that you have by blocking all sources to UDP 
>> 1900 on each interface.
>>
>> Instead of applying this to your WISP interface:
>> Block | UDP | WISP net | * | * | 1900 | Block UPnP
>>
>> Just apply this:
>> Block | UDP | * | * | * | 1900 | Block UPnP
>>
>> The same goes for your LAN interface.
>>
>> This simplifies the sorting that must go on with the rule before it's 
>> processed, and it prevents randomly IP'd machines (say, in martian 
>> subnets) from broadcasting stuffs outbound.
>>
>>
>>
>> You might want to have these rules at the bottom of any local interface, 
>> since the policy is to default deny anyways:
>>
>> WISP Interface:
>> Penultimate) Permit | ANY | WISP net | * | * | * | Permit WISP Net Out
>>
>> Ultimate) Block and Log  | ANY | * | * | * | * | Beware all packets ye 
>> who enter here
>>
>>
>>
>> LAN Interface:
>> Penultimate) Permit | ANY | LAN | * | * | * | Permit LAN Out
>>
>> Ultimate) Block and Log  | ANY | * | * | * | * | Beware all packets ye 
>> who enter here
>>
>>
>> Bob Young wrote:
>>> I have a LAN port, a WISP port, and a WAN port on my WRAP 1E-2 board.
>>>
>>> For the firewall, on each of my LAN and WISP Interfaces I have the
>> following
>>> rule (except for the LAN, I have "LAN net", in place of "WISP net"):
>>>
>>> UDP | WISP net | * | * | 1900 | Block UPnP 
>>>
>>>
>>> Can this rule be put on the WAN interface to stop outgoing UPnP data on
>> port
>>> 1900 from the LAN and WISP interfaces, with just one rule?
>>>
>>> If so, would the following rule be correct for a WAN rule ?
>>>
>>>
>>>
>>> UDP | * | * | * | 1900 | Block UPnP
>>>
>>> Maybe since I'm using "*" for both source and destination, maybe it will
>>> work for both incoming and outgoing on both the LAN and WISP interfaces?
>>>
>>>
>>> Thanks much,
>>>
>>>
>>
>>
>>
>>
> 
> 
> 
> 
>