Firewall/NAT

Hi all

I'm new to m0n0wall and I'm beginning to like it. Nevertheless I have one very basic thing I don't understand:

Let's assume I want to implement the simple policy "pass HTTP traffic from any host in the LAN to any host in the WAN (internet), but to no other interfaces (like DMZ or VPN)". How can I achieve this?

It seems that the m0n0wall destination option "WAN Address", does only match the WAN subnet, but I want to match packages for the world wide internet... I'm missing a destination like "WAN Interface".

I've done such rules many times with iptables and I think with pf it would look something like this (with fxp0=LAN and fxp1=WAN):

Code:

pass in on fxp0 proto tcp from any to fxp1 port www

Is my netfilter-affected thinking wrong? Is it simply not possible with m0n0wall, or how do you implement this policy with m0n0wall?

Regards,
hupf

Traffic is filtered on the interface is comes in on, based on its destination.

Let's assume I want to implement the simple policy "pass HTTP traffic from any host in the LAN to any host in the WAN (internet), but to no other interfaces (like DMZ or VPN)". How can I achieve this?

Put in a rule on your LAN allowing HTTP to "not" your other interfaces' subnets.

Hi cmb

The problem is, that with more than three interfaces it is not possible to work with negation. In my case I would have to first create two block rules, one for the DMZ and one for the VPN interface, then finally a pass rule for the remaining traffic (which will be the one for the WAN interface)...
So if I want to regulate all traffic from LAN to WAN I would have to write three-times as much rules... with, let's say, 20 protocols to filter I would have to write 60 rules... which makes it complicated, error-prone and hard to maintain.

I think there must be a solution for this very basic firewall usecase. Simply because I think this is a user interface restriction and not a PF restriction. The only problem is that on the WAN interface, the adresses are not from a strictly defined subnet. I propose to add a "WAN Interface" destination option.

What do you think? Am I the only one with this problem, who tries to build a m0n0wall-based firewall with more than three interfaces?

Greetings,
hupf

So if I want to regulate all traffic from LAN to WAN I would have to write three-times as much rules... with, let's say, 20 protocols to filter I would have to write 60 rules... which makes it complicated, error-prone and hard to maintain.

It's the one big negative regarding firewalls who's rules are based on ACL's applied to individual interfaces (instead of being able to define source and destination interfaces per rule).

This same limitation is why I loathe the Cisco PIX and ASA's.  I am willing to accept it with m0n0wall because it is free, my home configurations are typically easily able to handle the limitation, and there is such great traffic shaping and throttling functionality built in. 

rulesets can get unwieldy with lots of interfaces and specific rules. I've worked on several with in excess of a hundred rules. It definitely gets ugly. I much prefer pfsense now for those types of installs because its host, network, and port groupings allow for much cleaner and shorter rulesets. 

In many networks, if you plan things well you can get by with a pretty small ruleset. Some there just isn't anything you can do.