[ previous ] [ next ] [ threads ]
 From:  Lee Sharp <leesharp at hal dash pc dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] LAN rule suggestions
 Date:  Tue, 03 Apr 2007 22:50:19 -0500
Kurt Mahan wrote:
> I'm looking for some advice/suggestions/pointers.
> Currently I'm running m0n0wall 1.23 on a WRAP 3 port board.  It works great!
> The DMZ is configured according to the faq article.  All my external facing
> services live in there.  No need to talk to the LAN.
> The default LAN setting is working but it allows everything to exit the
> firewall.  Several articles I've read suggest restricting outgoing packets
> from the LAN to prevent viruses and such from contacting their mothership.  
> My LAN has a mix of Linux and Windows boxen.  Any suggestions/examples of
> LAN rulesets?  Any popular ports used by viruses to close?

Change your 'default allow' rule to "Log packets handled by this rule. 
Then make rules to allow the packets you use (and want to use) and put 
them above your default allow rule.  As you go, the logs for the default 
rule will be less and less.  When you think you have all you need, turn 
it off, and you are secure.  (Assuming you didn't add anything you 
didn't understand.)