[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] default ruleset
 Date:  Fri, 28 May 2004 21:06:45 +0200 
On 28.05.2004 20:40 +0200, Thomas Hertz wrote:

> You can see for yourself using "ipfstat -o" in the exec.php that
> this is so.
> 
> $ ipfstat -o
> pass out quick on lo0 from any to any
> pass out quick on sis1 proto udp from 192.168.0.1/32 port = 67 to
> any port = 68
> pass out quick on sis0 proto udp from any port = 68 to any port = 67
> pass out quick on sis1 from any to any keep state
> pass out quick on sis0 from any to any keep state
> pass out quick on sis2 from any to any keep state
> block out log quick from any to any

Just for clarification - ipfilter does stateful packet filtering, and
if a packet matches a state table entry, it is not checked against
the ruleset anymore. The outbound rules only really matter for
traffic that is generated by m0n0wall itself. And no, there are no
implicit "pass in from any to any" rules - if no rules are configured
in the webGUI, then nothing is let in (with a few exceptions).

- Manuel