[ previous ] [ next ] [ threads ]
 
 From:  "Bob Young" <bob at lavamail dot net>
 To:  "'Chris Buechler'" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Use "any" or "LAN" on LAN interface for Firewall ?
 Date:  Sun, 27 Aug 2006 01:50:05 -0400
Hi Chris:
 
Thanks for your reply.
 
I apologize, that I wasn't as clear as I should have been.
 
When I stated, "I realize that firewall rules are 'inbound only' for the
interface in question", I meant that my LAN subnet was connected to the LAN
interface, and data from the LAN subnet was flowing into the LAN interface
through Monowall, and out the WAN port.IOW, into the LAN interface from the
LAN subnet.  I wasn't clear on that when I said "inbound only".
 
I think you can help me here. Please bear with me as I try to formulate my
question.  I will show you two sample firewall rules that I think will have
the same effect, no matter if I have "any" or "LAN net" for Source:
 
I'll list two LAN interface Firewall rules after the column headings. 
 
Rule 1: 
Proto   Source          Port    Destination    Port    Description
 
TCP     *               *       *              5000    (see description next
line)
Block outgoing TCP data on LAN interface coming from any IP source, using
any port, TO any IP source, using port UPnP 5000.
 
Rule 2:
TCP     LAN net         *       *              5000    (see description next
line)
Block outgoing TCP data on LAN interface coming from the LAN subnet, using
any port, TO any IP source, using port UPnP 5000.
 
Note in the description, the first time I had "from any IP source", and the
second time I had "coming from the LAN subnet".  Won't both rules give the
same desired effect of blocking outbound UPnP on port 5000?
 
In your previous email, I believe your answer was "yes", there is no
difference---as long as I only have one subnet connected to the LAN
interface.  But if I have a router connected to the LAN interface, I could
then have more then one subnet connected to that router.  But even then I
think "any" or "LAN subnet" when used for "Source" will still give the same
desired effect of blocking UPnP on port 5000.
 
I took a look at both "any" and "LAN subnet", on the page where they are
selected and there was nothing else I could pick after I picked those two
names.  So, even if I have two subnets connected to the LAN interface
(through a router), it seems like there still won't be a difference if I
used "any" or "LAN subnet" for source? 
 
I'm not sure how I can get spoofed on the LAN interface, if I used "any" for
the outgoing Source.
 
I thank you again for your help.
 
Respectfully,
Bob
 
 
 
 
 
 
 
 
On 8/26/06, Bob Young <bob at lavamail dot net> wrote:
> 
> I realize that firewall rules are 'inbound only' for the interface in
> question.
> 
> If I want to firewall a particular port from sending data into the LAN
> interface,
 
Which you can't do with LAN rules, since rules are inbound only.
That's inbound from the perspective of the firewall - LAN rules are
for traffic originating on the LAN, not going out to the LAN.
 
 
> Does it make any difference if I use "any" or "LAN subnet" for Source?
> Probably not, since both have the same effect?
> 
 
Only if you have a router on your LAN with other subnets behind it.
Since you don't, there's no difference.
 
On most firewalls you'd want to keep it to LAN subnet to prevent
spoofed traffic from leaving your network, but m0n0wall handles all
that behind the scenes with its automatic antispoofing rules so it's
not something you have to take into account.
 
-Chris