Hi all
I recently upgraded to m0n0wall 1.33 on a Soekris 4801. I then set up some new firewall rules. However, it appears that the default block rule sets:
#--------------------------------------------------------------------------- # group head 100 - LAN interface #--------------------------------------------------------------------------- block in log quick on vr0 all head 100
# let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on vr0 all keep state
#--------------------------------------------------------------------------- # group head 200 - WAN interface #--------------------------------------------------------------------------- block in log quick on vr1 all head 200
# let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on vr1 all keep state #--------------------------------------------------------------------------- # group head 300 - opt1 interface #--------------------------------------------------------------------------- block in log quick on vr2 all head 300
# let out anything from the firewall host itself and decrypted IPsec traffic pass out quick on vr2 all keep state
# always pass outgoing IPsec encapsulated packets pass out quick on enc0 all keep state
# make sure the user cannot lock himself out of the webGUI pass in quick from 10.10.1.0/24 to 10.10.1.1 keep state group 100
|
are being actioned ahead of the user-defined rules, which appear further down:
# User-defined rules follow pass in quick proto tcp from any to 10.10.1.100 port = 3000 keep state group 200 |
. This appear to be confirmed by the logs, which show the defult rule:
@40 block in log quick on vr1 all head 200 |
is being called instead of the user-defiend rule:
# Group 200 ... @3 pass in quick proto tcp from any to 10.10.1.100/32 port = 3000 keep state group 200 ...
|
as evidenced by the following log entries:
Dec 13 18:32:06 soekakl ipmon[118]: 18:32:05.094873 vr1 @0:40 b 118.208.146.229,58524 -> 119.224.138.169,3000 PR tcp len 20 52 -S IN Dec 13 18:32:06 soekakl ipmon[118]: 18:32:05.348124 vr1 @0:40 b 118.208.146.229,58526 -> 119.224.138.169,3000 PR tcp len 20 52 -S IN
|
Any ideas on how to get the default block rule to operate only if the user-defined rule is not met?
Thanks in advance
Regards
Mark