I'm unclear about the firewall functionality on 1.32:
It says, and I think I do understand, "Rules are evaluated on a
first-match basis (i.e. the action of the first rule to match a packet
will be executed). This means that if you use block rules, you'll have
to pay attention to the rule order. Everything that isn't explicitly
passed is blocked by default."
So, in order to block my DMZ (172.16.1.0/24) properly, I need to allow
'all', and then gradually remove the other networks. (I had discussed
earlier, that unfortunately, there is no way to allow WAN instead.)
In order, however, to access the DNS proxy on m0n0wall (172.16.1.200), I
need to open it up for TCP/UDP on port 53. This is what I do. And I do
it before I block access to m0n0wall from the DMZ.
# User-defined rules follow
pass in quick proto tcp from any to 172.16.1.100 port = 80 keep state group 200
pass in quick proto tcp from any to 172.16.1.100 port = 25 keep state group 200
pass in quick proto tcp from any to 172.16.1.100 port = 22 keep state group 200
pass in quick from 192.168.116.0/24 to any keep state group 400
block in quick from any to 192.168.1.0/24 group 300
block in quick from any to 192.168.116.0/24 group 300
pass in quick proto tcp/udp from 172.16.1.0/24 port = 53 to 172.16.1.200 port = 53 keep state group
block in quick from 172.16.1.0/24 to 172.16.1.0/24 group 300
block in quick from any to 10.10.10.0/24 group 300
pass in quick from 172.16.1.0/24 to any keep state group 300
pass in quick from 192.168.1.0/24 to any keep state group 100
But it doesn't do what I expected. It blocks DNS-requests just the same.
DNS does work though, once I remove the line following the one that
opens port 53 ("block in quick from 172.16.1.0/24 to 172.16.1.0/24 group
300"). Following the logic of the statement above, the first line hit
should open port(s) 53.
Where is my mistake?