[ previous ] [ next ] [ threads ]
 From:  Jukka Salmi <j+m0n0wall at 2004 dot salmi dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  "Bruce A. Mah" <bmah at acm dot org>
 Subject:  Re: [m0n0wall] interfering filter rule
 Date:  Fri, 23 Jul 2004 17:55:45 +0200

Bruce A. Mah --> m0n0wall (2004-07-23 08:03:03 -0700):
> For future reference:  It took me awhile to figure out that the above
> means that m0n0-gw's WAN interface is v.w.x.y./z and everything to the
> right is supposed to be a part of  At first I thought
> the vertical line was another network.

Indeed, you're right. That was a bad choice for separator characters.
But you interpreted it correctly.

> <speculation>
> If OPT1 is the unnumbered bridge interface, the rules generator might be
> trying to generate the anti-spoofing rules corresponding to the other
> side of the bridge (the LAN interface).  This would be consistent with
> the rule you showed above.

That makes sense. I should probably read the code of the rule

> So one thing to try might be to reconfigure m0n0-br with a WAN interface
> facing towards m0n0-gw and its OPT1 interface facing towards your LAN. 
> Bridge the OPT1 interface to the WAN.
> </speculation>

I'll try that, thanks for the hint.

However, AFAICT the m0n0wall GUI won't let me set up the WAN interface
without an IP address (except if I configured it to use DHCP and
there's no dhcpd, but that's not very nice...); on the other hand
I could use an IP address on the LAN side (to access webGUI). So
maybe I'll try it the other way round: WAN interface towards LAN,
and OPT1 (bridged with WAN) towards the real gateway.

But first of all, I'll read the code...

Thanks for your help!

Cheers, Jukka

bashian roulette:
$ ((RANDOM%6)) || rm -rf ~