[ previous ] [ next ] [ threads ]
 
 From:  Joe Lagreca <lagreca at gmail dot com>
 To:  Dinesh Nair <dinesh at alphaque dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Help passing traffic from LAN to OPT1
 Date:  Sat, 10 Jul 2004 01:13:54 -0700 
OK, so I was a little confused before, but am REALLY confused now. 
Can someone explain just how the firewall rules work?

At first I thought it was like Dinesh said, where everything is
denied, which is what I'm used to with netscreen.

But then in practice it seems like everything is allowed, and you have
to explicitly say certain traffic can't pass from OPT1 to LAN.  Could
it be the "everything is denied unless explicitly stated" rule only
applys to the WAN?

Anyone else out there have more insight to help me understand these
firewall rules a little better?

Joe


On Sat, 10 Jul 2004 15:56:52 +0800 (MYT), Dinesh Nair
<dinesh at alphaque dot com> wrote:
> 
> On Sat, 10 Jul 2004, Joe Lagreca wrote:
> 
> > I am now very confused about m0n0 firewall rules.  Here are my rules for:
> 
> have you applied to the rules and/or rebooted your m0n0 after creating the
> rules below ?
> 
> >
> > OPT1 interface
> > Proto   Source     Port    Destination      Port     Description
> >  *        OPT1 net   *        ! LAN net         *         Default OPT1
> > -> WAN but not LAN
> >
> > LAN interface
> > Proto    Source     Port     Destination     Port    Description
> > *          LAN net     *          *                    *
> > Default LAN -> any
> >
> > The rule for OPT1 (reading from top down) will allow traffic from OPT1
> > to pass to any interface, except LAN.
> 
> exactly, which would prevent you being able to ping any boxen hanging off
> OPT1.
> 
> > Is it good security practice to also include a rule at the bottom of any
> > interface list to deny everything but what was explicity allowed above?
> 
> the default rules adopt a block all unless explicitly allowed model.
> hence, you just need to add rules to allow the traffic which is permitted
> and the default block all rule will block all the rest.
> 
> > Above I mentioned I now have another device on OPT1.  The BIG NEWS is
> > that I can ping it from LAN!  Which mostly means my problem is solved.
> 
> which is odd, considering that you have a rule which prevents the ICMP
> replies to go back to the LAN by blocking all packets from OPT1 Net to LAN
> Net.
> 
> Regards,                           /\_/\   "All dogs go to heaven."
> dinesh at alphaque dot com                (0 0)    http://www.alphaque.com/
> +==========================----oOO--(_)--OOo----==========================+
> | for a in past present future; do                                        |
> |   for b in clients employers associates relatives neighbours pets; do   |
> |   echo "The opinions here in no way reflect the opinions of my $a $b."  |
> | done; done                                                              |
> +=========================================================================+
> 
>