[ previous ] [ next ] [ threads ]
 From:  "Chris Bagnall" <m0n0wall at minotaur dot cc>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Questions to the Firewall / NAT
 Date:  Mon, 2 Aug 2004 15:36:30 +0100
> I know, this questions may be lame from your point of view, 
> but please answer. 

Well, you did only send your original message some 14 hours ago... remember
not everyone is on the same timezone. :-)

> 1. Default Block Rule?
> Do I need to set up a default rule, saying to block 
> everything? I´m just asking because in the help text is a 
> comment like " everything is blocked by default". This brings 
> me to my next question:

You do not need a default block rule. Everything that is not specifically
allowed is blocked, with (as I understand it) 1 exception: from the LAN to
m0n0wall - to prevent you from locking yourself out of the web config.

> 2. Order of Firewall Rules:
> Is it correct that, I set up exclusions, may be things to be 
> passed first, let´s say a web server listening on port 80 and 
> then the default block rule?

The rules are executed in the order they are listed, be they block, reject
or pass rules. Personally, if I'm doing an "allow all" rule, I'd want to do
any specific blocking before it (because if "allow all" is first, nothing
else will ever be seen).

> 3. Firewall Rule / NAT Issue:
> If i have a service on my LAN, let´s say Azureus, how is the 
> correct procedure? First i add a firewall rule pointing on my 
> LAN Server with Azureus on Port 6881, Source Any, Port any. 
> Next I think i have to add NAT Rules, but i´m not sure which. 
> can anybody help me with that? Thanks :-)

Add a NAT rule from 6881-6889 to point at your box running Azureus. There's
a nice little checkbox at the bottom called "create firewall rule", which
will automatically create the appropriate firewall rule.

> 4. Firewall Rules operation:
> How does the Firewall read the defined rules. Does it read 
> the rules from beginning to the end and the first rule 
> matching is the correct to handle the packets?


> 5. Keep State
> Are every rules set with the Keep State flag?
> Does this mean that if i set a rule that everyone one the LAN 
> can access the Internet over the WAN interface, but set a 
> rule on it to block everything, they can still surf?

I have no idea what you're trying to do here I'm afraid.


C.M. Bagnall, Partner, Minotaur
Tel: (07010) 710715   Mobile: (07811) 332969
ICQ: 13350579   AIM: MinotaurUK   MSN: minotauruk at hotmail dot com   Y!:
This email is made from 100% recycled electrons