[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Outbound Rules
 Date:  Sun, 1 Aug 2004 19:07:28 -0700 (PDT)
On Sun, 1 Aug 2004, Bosse Timothy wrote:

> Jon:  The rule should reside on the WAN interface as m0n0wall manages
> all of it's interfaces.

The problem is that the *real* rules are currently set up to do filtering
only on the incoming side of the various interfaces.  That's fine for
controlling LAN-originated outbound traffic, since it's caught as it
arrives from the LAN, but doesn't help when the firewall itself is the
source.  Hence his original question.

> Fred:  Wouldn't it be reasonable for m0n0wall to generate traffic if
> it's using the firmware version checker (only started from the firmware
> admin page), or if you were downloading the latest version of the
> firmware (again, must be accessing admin pages?

I said "on its own". :-) If you take some action to *cause* it to make an
outbound connection, then why would you want to block it?

> Both:  There should still be major concern if there is any amount of
> traffic flowing that isn't started by the user (administrator/owner).

And again, if the firewall is really doing that, I wouldn't trust its own
filter as a remedy.

					Fred Wright