[ previous ] [ next ] [ threads ]
 
 From:  Fabrizio Steiner <fabrizio at steiner dash vs dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  1.3 WAN <-> Opt bridge wrong rules apply
 Date:  Thu, 11 Feb 2010 09:28:41 +0100
Hello

I have a problem with a Monowall, which I would like to configure as a transparent firwall. As for
this, I've bridged the WAN interface with the Opt1 interface. Now I wanted to have some special
Firewall Rules for the incoming traffic, e.g. allow only https, this rule has to be defined on the
WAN interface. On the other hand for the outgoing traffic, I want to allow all traffic, as for this
there's a allow "any to any" rules on the Opt1 interface. Unfortunately the rule on Opt1 doesn't
apply for traffic that comes from the Opt1 interface, instead for traffic that comes from the Opt1
the rules of the WAN apply. But this rules prevents any traffic except https and therefore no
communication is possible from Opt1 over the WAN  to the outside world.

For testing purpose I've created again an allow "any to any"  rule on the WAN interface and I've
setup both allow "any to any" to be logged. If you have some traffic from the Opt1 to the outside
World and take a look onto the Firewall Log you will see that the rule on the WAN is used instead
the one on the Opt1.

Using the same configuration with 1.3b16 works as excepted, and the Opt1 rule applies, which is
correct. Using 1.3b17 and newer the WAN rule applies, so this must be to the change from "BRIDGE to
if_bridge".

Attached you will find a test configuration for this scenario.

Kind Regards
Fabrizio
wan bridge from op1 wan rule gets used.xml (2.1 KB, application/xml)