|
||||||||||
The following is the "ipfstat -nio" command. $ ipfstat -nio @1 pass out quick on lo0 from any to any @2 pass out quick on xl0 proto udp from 192.168.0.1/32 port = 67 to any port = 68 @3 pass out quick on xl1 proto udp from 192.168.5.1/32 port = 67 to any port = 68 @4 pass out quick on dc0 proto udp from any port = 68 to any port = 67 @5 pass out quick on dc0 proto udp from 68.107.79.182/32 port = 500 to any @6 pass out quick on dc0 proto esp from 68.107.79.182/32 to any @7 pass out quick on dc0 proto ah from 68.107.79.182/32 to any @8 pass out quick on xl0 proto udp from 192.168.0.1/32 port = 500 to any @9 pass out quick on xl0 proto esp from 192.168.0.1/32 to any @10 pass out quick on xl0 proto ah from 192.168.0.1/32 to any @11 pass out quick on xl1 proto udp from 192.168.5.1/32 port = 500 to any @12 pass out quick on xl1 proto esp from 192.168.5.1/32 to any @13 pass out quick on xl1 proto ah from 192.168.5.1/32 to any @14 pass out quick on xl0 from any to any keep state @15 pass out quick on dc0 from any to any keep state @16 pass out quick on xl1 from any to any keep state @17 block out log quick from any to any @1 pass in quick on lo0 from any to any @2 block in log quick from any to any with short @3 block in log quick from any to any with ipopt @4 pass in quick on xl0 proto udp from any port = 68 to 255.255.255.255/32 port = 67 @5 pass in quick on xl0 proto udp from any port = 68 to 192.168.0.1/32 port = 67 @6 pass in quick on xl1 proto udp from any port = 68 to 255.255.255.255/32 port = 67 @7 pass in quick on xl1 proto udp from any port = 68 to 192.168.5.1/32 port = 67 @8 block in log quick on dc0 from 192.168.0.0/24 to any @9 block in log quick on dc0 from 192.168.5.0/24 to any @10 block in log quick on dc0 proto udp from any port = 67 to 192.168.0.0/24 port = 68 @11 pass in quick on dc0 proto udp from any port = 67 to any port = 68 @12 skip 2 in on xl0 from 192.168.1.0/24 to any @13 skip 1 in on xl0 from 192.168.0.0/24 to any @14 block in log quick on xl0 from any to any @15 skip 1 in on xl1 from 192.168.5.0/24 to any @16 block in log quick on xl1 from any to any @17 block in log quick on dc0 from 10.0.0.0/8 to any @18 block in log quick on dc0 from 127.0.0.0/8 to any @19 block in log quick on dc0 from 172.16.0.0/12 to any @20 block in log quick on dc0 from 192.168.0.0/16 to any @21 pass in quick on dc0 proto udp from any to 68.107.79.182/32 port = 500 @22 pass in quick on dc0 proto esp from any to 68.107.79.182/32 @23 pass in quick on dc0 proto ah from any to 68.107.79.182/32 @24 pass in quick on xl0 proto udp from any to 192.168.0.1/32 port = 500 @25 pass in quick on xl0 proto esp from any to 192.168.0.1/32 @26 pass in quick on xl0 proto ah from any to 192.168.0.1/32 @27 pass in quick on xl1 proto udp from any to 192.168.5.1/32 port = 500 @28 pass in quick on xl1 proto esp from any to 192.168.5.1/32 @29 pass in quick on xl1 proto ah from any to 192.168.5.1/32 @30 skip 1 in proto tcp from any to any flags S/FSRA @31 block in log quick proto tcp from any to any @32 block in log quick on xl0 from any to any head 100 @1 pass in quick from 192.168.0.0/24 to 192.168.0.1/32 keep state group 100 @2 pass in quick from 192.168.0.0/24 to any keep state group 100 @33 block in log quick on dc0 from any to any head 200 @1 pass in quick proto gre from any to 127.0.0.1/32 keep state group 200 @2 pass in quick proto tcp from any to 127.0.0.1/32 port = 1723 keep state group 200 @3 pass in log quick proto tcp from any to 192.168.0.1/32 port = 443 keep state group 200 @4 pass in log quick proto tcp from any to 192.168.0.50/32 port = 22 keep state group 200 @5 pass in quick proto tcp from any to 192.168.0.40/32 port = 5190 keep state group 200 @6 pass in log quick proto tcp from any to 192.168.0.40/32 port = 113 keep state group 200 @34 block in log quick on xl1 from any to any head 300 @1 pass in quick from 192.168.5.0/24 to !192.168.0.0/24 keep state group 300 @35 pass in log quick on ng1 from any to any keep state @36 pass in log quick on ng2 from any to any keep state @37 pass in log quick on ng3 from any to any keep state @38 pass in log quick on ng4 from any to any keep state @39 pass in log quick on ng5 from any to any keep state @40 pass in log quick on ng6 from any to any keep state @41 pass in log quick on ng7 from any to any keep state @42 pass in log quick on ng8 from any to any keep state @43 pass in log quick on ng9 from any to any keep state @44 pass in log quick on ng10 from any to any keep state @45 pass in log quick on ng11 from any to any keep state @46 pass in log quick on ng12 from any to any keep state @47 pass in log quick on ng13 from any to any keep state @48 pass in log quick on ng14 from any to any keep state @49 pass in log quick on ng15 from any to any keep state @50 pass in log quick on ng16 from any to any keep state @51 block in log quick from any to any Does that help explain the rules in my m0n0? Joe On Sat, 10 Jul 2004 16:37:13 +0800 (MYT), Dinesh Nair <dinesh at alphaque dot com> wrote: > > On Sat, 10 Jul 2004, Joe Lagreca wrote: > > > be the "everything is denied unless explicitly stated" rule only applys > > to the WAN? > > no, it applies to all interfaces. the only diff is the LAN interface has > an additional rule which explicitly allows all clients to connect to the > m0n0wall webGUI from the LAN. > > perhaps posting the ipfstat -nio section from status.php would help better > in knowing exactly what rules are there in your running m0n0wall. > > > > Regards, /\_/\ "All dogs go to heaven." > dinesh at alphaque dot com (0 0) http://www.alphaque.com/ > +==========================----oOO--(_)--OOo----==========================+ > | for a in past present future; do | > | for b in clients employers associates relatives neighbours pets; do | > | echo "The opinions here in no way reflect the opinions of my $a $b." | > | done; done | > +=========================================================================+ > > |