[ previous ] [ next ] [ threads ]
 
 From:  "Chris Bagnall" <m0n0wall at minotaur dot cc>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Traffic rules not working?
 Date:  Fri, 30 Jul 2004 10:48:20 +0100
> I have 3 interfaces.  LAN, WAN and OPT1.  I set the rules to 
> "Block anything from anywhere to anywhere" on OPT1... but 
> when I ping a PC from a PC on the LAN interface, somehow the 
> ICMP reply packets are getting through... if I said to block 
> all traffic coming in OPT1, shouldn't it block that?

I have a similar situation. I have OPT1 connected to a wireless access
point, and wireless clients in turn connected to that. I have rules to only
allow DNS and PPTP access to the m0n0wall from OPT1, and deny everything
else.

However, connections from LAN -> OPT1 seem to continue to work fine, even
things like VNC. As it happens I find this quite useful - LAN can access
OPT1, but not vice-versa. But if you wanted to prevent it, I guess you'd
want a LAN rule denying all traffic with a destination of "OPT1 subnet".

> Also, how can I create a rule that says "Block this PC from 
> the LAN to getting on the Internet".  I can create a rule 
> that blocks them from getting to the "LAN Subnet" or the 
> "OPT1 Subnet"... but there doesn't seem to be a way to block 
> them from going out the WAN interface.

I would also be interested in this. Perhaps an extra option under interface
choices or a predefined alias called "m0n0wall" or something like that.
It'd be good if one could define an alias to encompass all m0n0's Ips (bear
in mind there are 3 of them - WAN, LAN and OPT1).  At the moment, my OPT1
PPTP rule has to be repeated twice, since someone could connect either to
the LAN IP or the OPT1 IP, equally successfully.

Regards,

Chris
-- 
C.M. Bagnall, Partner, Minotaur
Tel: (07010) 710715   Mobile: (07811) 332969
ICQ: 13350579   AIM: MinotaurUK   MSN: minotauruk at hotmail dot com   Y!:
Minotaur_Chris
This email is made from 100% recycled electrons