[ previous ] [ next ] [ threads ]
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  Free Trial <free underscore trial underscore mail at hotmail dot com>
 Subject:  Re: m0n0wall - DMZ issue
 Date:  Tue, 6 Mar 2007 19:04:47 +0000

        please keep all discussion on the mailing list so that others
can benefit from the advice given - thanks.

In message <BAY104 dash W19E444A1EC0F3BD4EAB6ABB07B0 at phx dot gbl>, Free Trial
<free underscore trial underscore mail at hotmail dot com> writes
>I wonder if you quickly can help me. I found your email in the mailing
>I have set up monowall with three interfaces:
> LAN - (my computer -
> DMZ - (www server -
>At the DMZ tab in section "Firewall -> Rules" it says:
> "No rules are currently defined for this interface. All incoming
>connections on this interface will be blocked until you add pass
>Because I have not added any rules to the DMZ interface yet (as stated
>above), all packages should be blocked, right?
>But if I access the webserver in ( from my computer
>(, the website _is_ shown.
>I can also connect to the www-server using SSH.
>Isn't this strange?
>Shouldn't _all_ packages (including packages with port 80, 22) be
>blocked in DMZ (as it says above)?
>I can not see what is wrong.
>Maybe you quickly can help me?
>(I hope you understand my bad english. :/ )

OK, the message states 'incoming connections on this interface'.  When
you make a connection from LAN to DMZ then it is an inbound connection
to the LAN interface and an outbound connection from the DMZ interface.
If you have a rule on LAN to allow the request (there is a default rule
allowing LAN to anything) then it will be allowed.

Rules applied to the DMZ interface will either allow or deny hosts on
the DMZ interface to make connections through m0n0wall.

>Kind Regards
> Peter
>Discover the new Windows Vista Learn more!

Like learning how to downgrade to XP as Vista sucks big time!

Hope this makes things clearer.


Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk