[ previous ] [ next ] [ threads ]
 From:  "Jon Tackabury" <jtackabury at binaryfortress dot com>
 To:  "'Fred Wright'" <fw at well dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Outbound Rules
 Date:  Mon, 2 Aug 2004 00:40:16 -0400
Good point... I shouldn't need to block any traffic that monowall generates.
It should be ok.


-----Original Message-----
From: Fred Wright [mailto:fw at well dot com] 
Sent: Sunday, August 01, 2004 10:07 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] Outbound Rules

On Sun, 1 Aug 2004, Bosse Timothy wrote:

> Jon:  The rule should reside on the WAN interface as m0n0wall manages 
> all of it's interfaces.

The problem is that the *real* rules are currently set up to do filtering
only on the incoming side of the various interfaces.  That's fine for
controlling LAN-originated outbound traffic, since it's caught as it arrives
from the LAN, but doesn't help when the firewall itself is the source.
Hence his original question.

> Fred:  Wouldn't it be reasonable for m0n0wall to generate traffic if 
> it's using the firmware version checker (only started from the 
> firmware admin page), or if you were downloading the latest version of 
> the firmware (again, must be accessing admin pages?

I said "on its own". :-) If you take some action to *cause* it to make an
outbound connection, then why would you want to block it?

> Both:  There should still be major concern if there is any amount of 
> traffic flowing that isn't started by the user (administrator/owner).

And again, if the firewall is really doing that, I wouldn't trust its own
filter as a remedy.

					Fred Wright

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch