[ previous ] [ next ] [ threads ]
 
 From:  Andrew Boothman <andrew at mux dot org dot uk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Denying Incoming Packets
 Date:  Tue, 15 Jan 2008 23:48:03 +0000
Neil A. Hillard wrote:
>> When I was using FreeBSD itself for NAT on my network I used to use the
>> deny_incoming flag for natd (http://www.freebsd.org/cgi/man.cgi?query=n
>> atd) to ensure that I wouldn't get any incoming traffic that didn't
>> match up with outgoing traffic.
>>
>> Is there an equivalent setting for m0n0wall, or is it not required?
>>
>> I haven't made many configuration changes (other than IP range
>> settings) so is it OK to hook up my WAN port to my cable modem
>> connection with the default configuration?
>>
>> The only Firewall or NAT rule set up is the default "Default LAN ->
>> any" one.
> 
> You can rest easy as m0n0wall is stateful in that it will only allow
> return traffic to established connections.
> 
> In your case, with your rules, m0n0wall will only allow incoming traffic
> that is in response to a connection that one of your LAN devices has
> initiated.

Neil,

Thanks for your reply! For the avoidance of doubt, below is my 
config.xml file which should show that I mainly have a default 
configuration that I presume is safe to use on my public connection:

<?xml version="1.0"?>
<m0n0wall>
     <version>1.6</version>
     <lastchange>1199397106</lastchange>
     <system>
         <hostname>m0n0wall</hostname>
         <domain>home</domain>
         <dnsallowoverride/>
         <username>admin</username>
         <password>xxxxx</password>
         <timezone>Europe/London</timezone>
         <time-update-interval>300</time-update-interval>
         <timeservers>pool.ntp.org</timeservers>
         <webgui>
             <protocol>http</protocol>
             <port/>
             <certificate/>
             <private-key/>
             <expanddiags/>
         </webgui>
         <dnsserver>192.168.0.1</dnsserver>
     </system>
     <interfaces>
         <lan>
             <if>sis0</if>
             <ipaddr>10.0.0.254</ipaddr>
             <subnet>24</subnet>
             <media/>
             <mediaopt/>
         </lan>
         <wan>
             <if>sis1</if>
             <mtu/>
             <media/>
             <mediaopt/>
             <spoofmac/>
             <ipaddr>192.168.0.101</ipaddr>
             <subnet>24</subnet>
             <gateway>192.168.0.1</gateway>
         </wan>
     </interfaces>
     <staticroutes/>
     <pppoe/>
     <pptp/>
     <bigpond/>
     <dyndns>
         <type>dyndns</type>
         <username/>
         <password/>
         <host/>
         <mx/>
         <server/>
         <port/>
     </dyndns>
     <dnsupdate/>
     <dhcpd>
         <lan>
             <range>
                 <from>10.0.0.100</from>
                 <to>10.0.0.199</to>
             </range>
             <enable/>
             <defaultleasetime/>
             <maxleasetime/>
             <staticmap>
                 <mac>00:16:17:8d:45:7b</mac>
                 <ipaddr>10.0.0.1</ipaddr>
                 <descr>Andrew</descr>
             </staticmap>
         </lan>
     </dhcpd>
     <pptpd>
         <mode/>
         <redir/>
         <localip/>
         <remoteip/>
     </pptpd>
     <dnsmasq>
         <enable/>
         <regdhcp/>
     </dnsmasq>
     <snmpd>
         <syslocation/>
         <syscontact/>
         <rocommunity>public</rocommunity>
     </snmpd>
     <diag>
         <ipv6nat>
             <ipaddr/>
         </ipv6nat>
     </diag>
     <bridge/>
     <syslog/>
     <nat/>
     <filter>
         <rule>
             <type>pass</type>
             <descr>Default LAN -&gt; any</descr>
             <interface>lan</interface>
             <source>
                 <network>lan</network>
             </source>
             <destination>
                 <any/>
             </destination>
         </rule>
         <tcpidletimeout/>
     </filter>
     <shaper/>
     <ipsec/>
     <aliases/>
     <proxyarp/>
     <wol/>
</m0n0wall>