[ previous ] [ next ] [ threads ]
 
 From:  "Andrew Eglington" <aeglington at hotmail dot com>
 To:  mk at neon1 dot net
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  port forwarding and SUGGESTION
 Date:  Sat, 26 Jun 2004 15:06:34 +1000
>Yes, that's the case, and I think it's not so strange at all. You wouldn't 
>usually want to map a range of external ports to a single internal port. 
>The hint text for "local port" explains what happens with port ranges quite 
>well, and this is the same behavior as in the majority of commercial 
>firewall products anyway.
>
>- Manuel

Yeah, I think I was just a little weirded by it asking for what I expected 
(a single port), and then having it actually create a rule with a range 
instead. (especially an invalid range.)

<thinking aloud>
.. and I was forgetting that the "which port exactly? - to define WHAT i am 
allowing" element was actually set explicitly in the firewall rules:
It's a little bit counter-intuitive/unnerving  to HAVE to "open" (via NAT) a 
huge range of
ports to * *, (cringe)
but then only permit one port (phew)
in another... abstraction layer, if that is the right term.

... i guess i was expecing NAT to offer a :
"single port request forwarded from router to the m0n0 WAN"   ->
"single port listening on the PC LAN"
style mapping. (as well as the equiv. range style option).

... or maybe i was expecting a comma and hyphen delimited field.

..anyway :)
</thinking aloud>

SUGGESTION:
What would be very useful would be an option in NAT/Firewall Rule setup to 
detect if anything is currently requesting a port/NAT and options to 
wizard/add a NAT/rule for it on that particular port/range, etc etc.
Effectively making NAT/firewall rule setup a matter of probing the required 
function from outside, and being able to detect those probes from inside and 
make rules to allow access.

That way if you know ssh on port X from blah.net knocks on the door of your 
WAN calling itself TheNameOfTheThingIWantToWorkNow on port X, you can more 
easily click a button labelled "Yeah. guide me through rules to connect that 
one"

<thinking aloud>
Making a NAT can auto add a matching rule, and setup detects plugged in WAN 
or LAN cards...
How much more code would be required?
would auto-NAT/rule-addition compromise m0n0 security principles?
would it compromise the intent of m0n0 design?
</thinking aloud>

Looks like time for me to check the updates list/dates.

_________________________________________________________________
Looking to buy a new house? Try   http://property.ninemsn.com.au/