[ previous ] [ next ] [ threads ]
 
 From:  Joe Lagreca <lagreca at gmail dot com>
 To:  Fred Wright <fw at well dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Help passing traffic from LAN to OPT1
 Date:  Sat, 10 Jul 2004 00:45:52 -0700
Ok, the problem has evolved.  The only device on OPT1 before was the
AP, but now I connected OPT1 to a switch and have the AP plugged into
the switch along with another computer.

> The first rule, if it were needed, would need to be in the LAN section,
> not the OPT1 section.  The concept is that the rules determine what
> traffic origination is allowed *in* from a given interface.  However, if
> you have the default rule allowing traffic from LAN to anywhere, then it's
> superfluous.

I am now very confused about m0n0 firewall rules.  Here are my rules for:

OPT1 interface
Proto   Source     Port    Destination      Port     Description  
 *        OPT1 net   *        ! LAN net         *         Default OPT1
-> WAN but not LAN

LAN interface
Proto    Source     Port     Destination     Port    Description   
*          LAN net     *          *                    *       
Default LAN -> any

The rule for OPT1 (reading from top down) will allow traffic from OPT1
to pass to any interface, except LAN.

The rule for LAN will allow traffic from LAN to any interface on the m0n0.  

Is it good security practice to also include a rule at the bottom of
any interface list to deny everything but what was explicity allowed
above?  Or do I have the whole concept wrong?

> You also haven't answered my question about what default gateway is
> configured *in the AP*.  If that's anything other than the m0n0wall's OPT1
> IP, then packets from the AP to the LAN won't route correctly.  This can
> be worked around with NAT, but that's the less desirable choice.

I believe this is where my whole problem was.  There is no gateway
setup in the AP, and I don't believe it is possible.  I configured the
AP's LAN address to be 192.168.5.5 with subnet mask of 255.255.255.0.

Above I mentioned I now have another device on OPT1.  The BIG NEWS is
that I can ping it from LAN!  Which mostly means my problem is solved.
 However the question still remains, how can I ping the computer on
OPT1, but not the AP?  Is it simply because the AP doesnt have a
gateway setup for its LAN?

> There are a number of things that make this case more complicated than
> just inserting a firewall/router between WAN and LAN, some of which are
> m0n0wall-specific and some of which aren't.  The only m0n0wall issue that
> I consider a mistake is the inappropriate default netmask on OPT1.  

I couldn't agree more.  Actually when assigning an IP to any
interface, it should default to a netmask such as /24 or some other
commonly used network.

Thank you all very much, especially Fred, for bearing with and
teaching me a bit more about networking and security.  Thank you
Manuel for creating this wonderful firewall device that I recomend to
people ALL the time.