News: This forum is now permanently frozen.
Pages: [1]
Topic: DMZ firewall rules  (Read 1537 times)
« on: January 09, 2014, 10:35:16 »
floorfilla *
Posts: 4

Hi,
I need to configure m0n0wall for one of my school project, it's basically setup a DMZ, and firewall rules attached.

I read the documentation on how to do it (http://doc.m0n0.ch/handbook/examples.html#id11643435), but I can't understand 13.1.4 chapter.

Why do the documentation say : "We will put in a firewall rule on the DMZ interface denying all traffic to the LAN while still permitting all traffic to the WAN" and the screen below show "WAN" as the interface of the rule ?

The caption below the option "Interface" says :  Choose on which interface packets must come in to match this rule.
So, shouldn't it be : DMZ instead of WAN ?

Best regards,
« Reply #1 on: January 09, 2014, 14:03:29 »
tuxfux *
Posts: 32

Hi,

first of all: good luck with you project.

As I unserstand it: you are right. it should be set to DMZ. As you think, it is: The rule applies to the interface you choose. in the picture it is for me a bit confusing.

I would do it like this to pass everything from DMZ to the internet: 
Action: pass
Disable: NO
Interface:DMZ
Protocol: (as you wish, you can do any)
Source: choose here your DMZ subnet and DON'T do the "not" option (but shouldn't be a problem if you don't do it, since its anyway everything which is from DMZ)
source port range: as you which or leave it like it is
Destination: choose here "WAN address"
Destination port range: as you which or leave it like it is
and the other two options: as you need/wish
in description i do usually in this case like: DMZ -> Internet

i hope it's right. did it from my mind.
« Last Edit: January 09, 2014, 14:05:40 by tuxfux »
« Reply #2 on: January 09, 2014, 16:08:51 »
Fred Grayson *****
Posts: 994

The confusion is likely because the first image below 13.1.4. "Configuring the DMZ Interface Firewall Rules" shows the rules page as it is when first see it. The second image shows the desired rule as you should input it.

--
Google is your friend and Bob's your uncle.
« Reply #3 on: January 09, 2014, 17:08:30 »
tuxfux *
Posts: 32

Ah fred right,
but floorfilla: if you have more than 3 interfaces, you might rethink as it is in the picture "destination not LAN Subnet". if you have two seperate LAN's, you might do like i suggested, or similar. but i think you get it.
advice: Never just copy firewall rules. think about it first
« Reply #4 on: January 10, 2014, 00:18:04 »
floorfilla *
Posts: 4

Firstly, thank you for both of your answers.

After some research (or just mind fucking  Grin) and with your answers, I succeeded and came to this conclusion :

- When the documentation says "Choose on which interface packets must come in to match this rule", this means that the direction of the trafic is :
SUBNET > INTERFACE

Since the beginning, I thought it was Interface > Subnet, so the pictures shown in the documentation are correct, m0n0wall team you have my apologies.

- So, after some settings, I did the following on my 3 interfaces :

LAN : http://i.imgur.com/lW9s6oc.jpg
WAN : http://imgur.com/1Qr9lDO
DMZ : http://imgur.com/ujdGL2b

Basically, the trick is about denying everything from any to any, then start to add some permissions, and particularly, as tuxfux said : use the reverse option of the destination entry (destination BUT LAN Subnet).

Now this is working like a charm, and the documentation was fully correct.
Maybe, they can add some explanations about what "Choose on which interface packets must come in to match this rule" really means.

And, when I managed to got everything working, I said : Fuck it, m0n0wall is so powerfull.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines