[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Andy Boatman <andyboatman at computeruniverse dot us>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewal rules problem, I think
 Date:  Sun, 3 Oct 2004 00:14:55 -0400
On Fri, 1 Oct 2004 16:58:24 -0500, Andy Boatman
<andyboatman at computeruniverse dot us> wrote:
> Hello, I am new to m0n0wall.  So far, I have been really impressed.  I
> managed to get my FTP server working properly, but I have what I'm sure is a
> small, easy to fix problem.  The reason I decided on m0n0wall is because I
> have one DSL (Bellsouth) connection I wish to divide between 4 networks.
> Everything is working, except that each interface can "see" the shares on
> every other interface.  I want to have it set so that LAN can access the
> internet, but not OPT1, OPT2, or OPT3.  I'm sure the problem is nothing more
> than my lack of understanding of the rules used to permit/block/reject
> traffic.
> 

That's because the default LAN rule allows LAN traffic to anything. 
The easiest way to change it so the LAN can't talk to any OPT
interfaces is to set up the OPT interfaces on contiguous subnets
separate from the LAN.  i.e. LAN is 192.168.1.0/24, OPT are 10.1.x.x
(10.1.1.0/24, 10.1.2.0/24, etc. on the OPT interfaces).

Then change the LAN -> any rule to permit LAN to anything except
10.1.0.0/16, which encompasses all of your OPT networks.

You can get a lot fancier than that if you know subnetting, but that's
an easy example.

-Chris