|
||||||||||
On Sat, 10 Jul 2004, Joe Lagreca wrote: > I am now very confused about m0n0 firewall rules. Here are my rules for: have you applied to the rules and/or rebooted your m0n0 after creating the rules below ? > > OPT1 interface > Proto Source Port Destination Port Description > * OPT1 net * ! LAN net * Default OPT1 > -> WAN but not LAN > > LAN interface > Proto Source Port Destination Port Description > * LAN net * * * > Default LAN -> any > > The rule for OPT1 (reading from top down) will allow traffic from OPT1 > to pass to any interface, except LAN. exactly, which would prevent you being able to ping any boxen hanging off OPT1. > Is it good security practice to also include a rule at the bottom of any > interface list to deny everything but what was explicity allowed above? the default rules adopt a block all unless explicitly allowed model. hence, you just need to add rules to allow the traffic which is permitted and the default block all rule will block all the rest. > Above I mentioned I now have another device on OPT1. The BIG NEWS is > that I can ping it from LAN! Which mostly means my problem is solved. which is odd, considering that you have a rule which prevents the ICMP replies to go back to the LAN by blocking all packets from OPT1 Net to LAN Net. Regards, /\_/\ "All dogs go to heaven." dinesh at alphaque dot com (0 0) http://www.alphaque.com/ +==========================----oOO--(_)--OOo----==========================+ | for a in past present future; do | | for b in clients employers associates relatives neighbours pets; do | | echo "The opinions here in no way reflect the opinions of my $a $b." | | done; done | +=========================================================================+ |