[ previous ] [ next ] [ threads ]
 
 From:  Ziekke <ziekke at ziekke dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Filter Rules between LAN/OPT1
 Date:  Sat, 2 Oct 2004 08:48:14 -0400 
I've been doing a little more checking on the system and have found a few
peculiar things.

Any rules that I have added to my Rules section in the webGUI don't seem to be
making it to the ipfw rules list at all (ipfw -d list pasted at bottom).

The rules that I dont see there are, for example:

---
Proto: *
Source: 192.168.8.2
Port: *
Destiantion: 192.168.7.5
Port *
---
Proto: TCP
Source: LAN net
Port: *
Destination: LAN2 net
Port: *
---

Also of possible interest are two rules in the ipfw rule list:
"01001 allow ip from any to any layer2 not via rl0"

It does not show up in the rules page at all, and from what I make of it, it
basically means that any traffic going from anywhere to anywhere as long as it
isn't rl0 (which is my WAN interface) will be allowed unconditionally.

The fact that it is the second rule in the list  leads me to believe it is
nullifying anything else I try to add in to manage my local LAN.

I have no experience whatsoever in reading IPFW rulesets, so if someone could
give me a little insight on this, whether I've found something, or a possible
cure to my problem it would be greatly appreciated!

Also, I have disabled the anti-lockout rule on the advanced page in case that is
what is causing my problem, but that didn't solve anything.

$ ipfw -d list
01000 skipto 50000 ip from any to any not layer2 not via rl0
01001 allow ip from any to any layer2 not via rl0
01100 allow ip from any to any layer2 mac-type 0x0806
01101 deny ip from any to any layer2 not mac-type 0x0800
01102 skipto 20000 ip from any to any layer2
01200 allow udp from any 68 to 255.255.255.255 dst-port 67 in
01201 allow udp from any 68 to 192.168.8.1 dst-port 67 in
01202 allow udp from 192.168.8.1 67 to any dst-port 68 out
01203 allow icmp from 192.168.8.1 to any out icmptypes 8
01204 allow icmp from any to 192.168.8.1 in icmptypes 0
01300 allow udp from any to 192.168.8.1 dst-port 53 in
01301 allow udp from 192.168.8.1 53 to any out
01302 allow tcp from any to 192.168.8.1 dst-port 8000 in
01303 allow tcp from 192.168.8.1 8000 to any out
01304 allow tcp from any to 192.168.8.1 dst-port 8001 in
01305 allow tcp from 192.168.8.1 8001 to any out
10000 skipto 50000 ip from any to 192.168.8.1 in
10000 skipto 50000 ip from 192.168.8.1 to any out
10001 skipto 50000 ip from any to 192.168.7.1 in
10001 skipto 50000 ip from 192.168.7.1 to any out
10002 skipto 50000 ip from 192.168.8.2 to any in
10002 skipto 50000 ip from any to 192.168.8.2 out
19900 fwd 127.0.0.1,8000 tcp from any to any dst-port 80 in
19901 allow tcp from any 80 to any out
19902 deny ip from any to any
20002 deny ip from 192.168.8.2 not MAC any 00:0c:f1:08:97:48 any layer2 in
20002 deny ip from any to 192.168.8.2 not MAC 00:0c:f1:08:97:48 any layer2 out
29900 allow ip from any to any layer2
50000 allow ip from 192.168.7.1 to any
50001 allow ip from any to 192.168.7.1
50002 pipe 1 tcp from 192.168.7.0/24 9180 to not 213.112.232.21 out via ng0
50003 pipe 1 tcp from 192.168.7.0/24 1757 to not 213.112.232.21 out via ng0
50004 pipe 2 tcp from 192.168.7.3 80 to any out via ng0
65535 allow ip from any to any

--
// Ziekke