Firewall/NAT

hi,

first of all thanks to all for your postings which has been very helpful to me as a newbie. i have a new install, running well for last 3 mths, on a Alix board with 3x interfaces - WAN, LAN and OPT1.  WAN connects via PPPoE, LAN has 1 PC for work (hence isolation), OPT1 for home PCs, NAS and a printer.  Have tried to keep it  a simple config since I am new to mono.

Recently under Diagnostics: Logs -> Systems I have noted  "DNS-rebind attack detected" messages - i have  searched through the forums for more info relating to this but I have not found any responses for how to detect where this is coming from.  I have been able to "create" the messages if I port forward and open up for torrents onto a single pc in OPT1 (message has been known to appear even prior to my using torrents to "create/trigger" the message but torrents without fail almost always triggers this message).  I have combed through the Diagnostics: Logs (firewall, DHCP), ARP table and firewall states to see if I can relate anything that happened during the time that msg appeared but nothing.   

My questions is: 
1.  How do I know if this is blocked ?  Or is it ?
2.  Is this caused by rogue private IP addresses from outside hitting the WAN interface ?  or dnsmasq (as someone mentioned in one forum i saw) alerting me when upstream DNS servers detect private IPs ?
(I am using OpenDNS in General Setup, with no override from DHCP/PPP on WAN)
3.  Default firewall rule on WAN says it denies RFC 1918 IPs, how can I see which are the IP ranges that it blocks ?  Firewall Rule question:  is there a simple way for me to define a list of IPs to block ?


Appreciate it if anyone can help me understand whether this is normal (false positive) with mono or an exception and I need additional firewall rules for precaution on the WAN/OPT1 interface for torrents (browser is firefox/noscript)?

thanks very much, sorry for long post (in case i didn;t provide enough bkgrd)
ht

1. You can optionally block it on the "DNS Forwarder" page using the "Block DNS Rebind attacks"; however, I'm not sure if that setting will have any effect unless you have the DNS forwarder enabled (you probably do).

2. I don't know - Google probably does  

3. RFC 1918 Addresses are the following:
     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
Unless you have a special or odd setup, you'll want to leave this block in place.

Unfortunately, there is no simple way to block a list of IPs or IP ranges without manually creating a rule for each IP or IP Range.

this might help

http://forum.m0n0.ch/index.php/topic,5223.0.html

hi all sorry for the late response.

thanks very much phil/NCSidaho for your attachment, this is very helpful for networking/mono beginner like me, the approach i have at the moment disables the default (LAN) outgoing to anywhere rule and I explicitly allow outgoings on port 53 (only to 208.67.222.222/220), 80 and 443.  didn;t think about incoming/WAN,oops.

let me see if i understand it correctly - your 2nd rule blocks any  non-LAN (WAN, OPT1..etc) UDP request arriving at the LAN interface asking for port 53 ?   
Proto  Source          Port    Dest   Port           Desc
UDP   !192.168.x.x  *        *        53 (DNS)

thanks again for your assistance. and iridris too for your comments,

rgds
ht

Yes it explicitly denies any host on the lan from requesting DNS(53) from any source except the m0n0wall or internal server

so !192.168.x.x  <-- would be the IP address of your m0n0wall or server which ever device is handling DNS lookup

This is useful if a PC becomes infected with a DNS re-director and keeps users from bypassing OpenDNS filter settings

phil, tks for your patience, last question if possible, from your experience is there any advantage with
1. allow all - block only dns, smtp (what you have)
vs
2. block all - allow only dns, smtp.. etc.

there are many opinions on this from various forums (e.g untangle), and some confusing,  thanks again. 

my setup is just one of many possibilities for home and small business use. I want DNS lookups fail if the host computer is not using the designated server. This prevents DNS hijacked computers from getting on the Web. I also block port 25 as this prevents a spam bot on the network from sending tons of emails that will get my IP blacklisted.

I have found that this simple straight setup works well for me and my clients, m0n0wall has been the absolute best

thanks very much for that.