[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Uwe Dippel <udippel at uniten dot edu dot my>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall question
 Date:  Wed, 30 Jun 2010 15:37:19 -0400
On Wed, Jun 30, 2010 at 9:14 AM, Uwe Dippel <udippel at uniten dot edu dot my> wrote:
> I'm unclear about the firewall functionality on 1.32:
> It says, and I think I do understand, "Rules are evaluated on a first-match
> basis (i.e. the action of the first rule to match a packet will be
> executed). This means that if you use block rules, you'll have to pay
> attention to the rule order. Everything that isn't explicitly passed is
> blocked by default."
>
> So, in order to block my DMZ (172.16.1.0/24) properly, I need to allow
> 'all', and then gradually remove the other networks. (I had discussed
> earlier, that unfortunately, there is no way to allow WAN instead.)
> This works.
>
> In order, however, to access the DNS proxy on m0n0wall (172.16.1.200), I
> need to open it up for TCP/UDP on port 53. This is what I do. And I do it
> before I block access to m0n0wall from the DMZ.
>
> # User-defined rules follow
> pass in quick proto tcp from any to 172.16.1.100 port = 80 keep state group
> 200
> pass in quick proto tcp from any to 172.16.1.100 port = 25 keep state group
> 200
> pass in quick proto tcp from any to 172.16.1.100 port = 22 keep state group
> 200
> pass in quick from 192.168.116.0/24 to any keep state group 400
> block in quick from any to 192.168.1.0/24 group 300
> block in quick from any to 192.168.116.0/24 group 300
> pass in quick proto tcp/udp from 172.16.1.0/24 port = 53 to 172.16.1.200
> port = 53 keep state group 300
> block in quick from 172.16.1.0/24 to 172.16.1.0/24 group 300
> block in quick from any to 10.10.10.0/24 group 300
> pass in quick from 172.16.1.0/24 to any keep state group 300
> pass in quick from 192.168.1.0/24 to any keep state group 100
>
> But it doesn't do what I expected. It blocks DNS-requests just the same. DNS
> does work though, once I remove the line following the one that opens port
> 53 ("block in quick from 172.16.1.0/24 to 172.16.1.0/24 group 300").
> Following the logic of the statement above, the first line hit should open
> port(s) 53.
>
> Where is my mistake?
>

Source port is not 53 on DNS (or anything else), should be any.