On Mon, 2 Aug 2004, Chris Bagnall wrote:
> > I know, this questions may be lame from your point of view,
> > but please answer.
> Well, you did only send your original message some 14 hours ago... remember
> not everyone is on the same timezone. :-)
And some of us have other things to do besides constantly monitoring email
for questions to answer. :-)
> > 1. Default Block Rule?
> > Do I need to set up a default rule, saying to block
> > comment like " everything is blocked by default". This brings
> > me to my next question:
> You do not need a default block rule. Everything that is not specifically
> allowed is blocked, with (as I understand it) 1 exception: from the LAN to
> m0n0wall - to prevent you from locking yourself out of the web config.
It depends on what level of "default" you're talking about. :-)
*Internally* there's a default block policy, but the default config
includes a "pass all from LAN" rule which is the right thing for the most
common case where you want to allow unrestricted outbound
connections. *That* rule is a visible part of the GUI config, and can be
deleted, modified, or overridden by earlier rules as desired.
> > 5. Keep State
> > Are every rules set with the Keep State flag?
> > Does this mean that if i set a rule that everyone one the LAN
> > can access the Internet over the WAN interface, but set a
> > rule on it to block everything, they can still surf?
If I understand the question correctly, then yes. The idea of the
stateful filtering is that the rules are only applied to the packet that
initiates the connection. If that packet is allowed, then it creates a
state entry that passes all additional packets associated with the same
connection, regardless of any other rules. So in effect, "blocking all
inbound TCP" really means blocking all inbound TCP *connections* not
blocking all inbound TCP *packets*.
On Tue, 3 Aug 2004, Dinesh Nair wrote:
> yes, the keep state flag is set. this actually makes a rule check faster
> as all stateful rules are checked first before the rules you configure are
> checked for each packet.
Well, I'm not convinced that adding additional checks on sequence numbers
makes the rule check faster. :-)