On Sun, 1 Aug 2004, Bosse Timothy wrote:
> Jon: The rule should reside on the WAN interface as m0n0wall manages
> all of it's interfaces.
The problem is that the *real* rules are currently set up to do filtering
only on the incoming side of the various interfaces. That's fine for
controlling LAN-originated outbound traffic, since it's caught as it
arrives from the LAN, but doesn't help when the firewall itself is the
source. Hence his original question.
> Fred: Wouldn't it be reasonable for m0n0wall to generate traffic if
> it's using the firmware version checker (only started from the firmware
> admin page), or if you were downloading the latest version of the
> firmware (again, must be accessing admin pages?
I said "on its own". :-) If you take some action to *cause* it to make an
outbound connection, then why would you want to block it?
> Both: There should still be major concern if there is any amount of
> traffic flowing that isn't started by the user (administrator/owner).
And again, if the firewall is really doing that, I wouldn't trust its own
filter as a remedy.