[ previous ] [ next ] [ threads ]
 From:  Josh <josh at nemesis dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Multiple OPT Firewall rulesets? Feature requests
 Date:  Sun, 26 Sep 2004 01:19:54 -0700
Hi all-

I'm a bit confused about how the firewall rulesets are implemented
for multiple OPT interfaces.

Specifically - for the destination side of the firewall rules -
there is no way to select 'WAN' -- unless 'any' really does
just mean WAN and does not include various OPT networks  (this
was implied/stated in one list email at least, but I cannot
confirm this).

If Any really means 'WAN' it seems that should be renamed to
make it clear OPT rules are needed.  If any means any I really
could use a 'WAN' destination option.

This seems critical for significant use of the VLAN feature
to get multiple discrete secure zones.  (IE - setup outbound
rules for OPT1 that do not become inbound holes into OPT2 because
of the 'ANY').  Useful for getting full isolation between
different DMZ servers/services - or different managed firewall
customers in an ISP environment.

Also - I have a question about IP spoof checking.  Are packets
source addresses checked against the m0n0's route table to
detect spoofed addrs?

This would obviously only be for routed interfaces as I see nowhere
to define host lists in a bridge setup.  (Ie - the 'transparent'
bridging firewalls I've used make you specify which subnets
are on which interfaces - and which hosts for the local subnet).
I'd love to see that done as well on m0n0 - but that seems like
a lot to cram into it's very elegant interface to get the spoof


-josh bardt