[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] simplifying packet filter rules
 Date:  Mon, 12 Nov 2007 22:09:04 -0500
On Nov 12, 2007 8:36 AM, Harald Sauff <harald dot sauff at tu dash harburg dot de> wrote:
> Hello list,
>
> I'm running m0n0wall 1.231 as our internet gateway. It connects WAN, DMZ
> and several local subnets (real and VLANs).
>
> Is there a way to specify a rule like "allow access to internet"? I want
> to block access between local subnets, but every local subnet should be
> able to access the internet.
> So I'd like to rely on the implicit default "block everything" rule and
> just add the "allow access to internet" rule. But when I specify "allow
> *" then I have to add rules that block access to every subnet seperately
> (block subnet A, block subnet B, block subnet C, allow *). And when I do
> it this way and I add another subnet I have to extend the rules for
> every device.

That's correct, but there are more logical and sensible ways to do
this. Every site should use subnets that can be CIDR summarized. Then
you can add subnets without changing any of this, and also permit to
everything *but* your internal subnets in one rule by using
destination "not" your internal subnets.

For example, if you use 192.168.1.0/24, 192.168.2.0/24, etc. through
192.168.254.0/24, you can summarize with 192.168.0.0/16. Then allow to
destination "not" 192.168.0.0/16 and you have what you're after.

-Chris