qinn
Junior Member
Posts: 17
|
Post by qinn on Sept 28, 2015 14:24:14 GMT
Is it possible to create a rule that blocks/reject the WAN as a destination? As far as I can see, it is only possible to select WAN address yet an address cannot be entered.
Thnx in advance for any help.
|
|
|
Post by Lee Sharp on Sept 29, 2015 5:36:18 GMT
Well, by default everything is blocked unless allowed. But you can make a deny rule with the WAN IP address. What are you trying to do?
|
|
qinn
Junior Member
Posts: 17
|
Post by qinn on Sept 29, 2015 16:03:45 GMT
Well, in the WLAN I need to block access to the WAN for 1 single IP address. This IP address doesn't belong to a PC, so I cannot easily check to which internet IP it logs on in the cloud (WAN). As far as it's destination is unknown to me, I cannot make use of the Type: WAN address. Using the default rule "everything is blocked unless allowed" crossed my mind and it is possible, because all pc's here receive an IP on MAC address, but it would mean that I'll have to create a pass rule in WLAN for every single device (70 devices ), as now there is only one rule WLAN -> !LAN.
|
|
|
Post by Lee Sharp on Sept 29, 2015 18:03:46 GMT
Ahh... I get you. You have a device on your LAN you do not want to access the internet, correct? Firewall rules are per interface inbound, so WAN only plays with outside devices. As to your device, if you know the MAC you can give it a static DHCP assignment, and then have a rule on LAN to block all to all. It will still work on the LAN, as that is internal and has nothing to do with the firewall. Unless I still misunderstand what you are trying to do. And that is easy to do. Networking is hard!
|
|
qinn
Junior Member
Posts: 17
|
Post by qinn on Sept 30, 2015 15:24:57 GMT
Ahh... I get you. You have a device on your LAN you do not want to access the internet, correct? Yes Firewall rules are per interface inbound, so WAN only plays with outside devices. you are correct
As to your device, if you know the MAC you can give it a static DHCP assignment, All 70 devices in the LAN receive an IP from the DHCP server on MAC addressand then have a rule on LAN to block all to all. It will still work on the LAN, as that is internal and has nothing to do with the firewall. This I don't understand as the devices in the LAN are not on different server, SmallWall is the server that rules these devices. So if I have a rule on LAN to black all tot all, all is blocked Unless I still misunderstand what you are trying to do. And that is easy to do. Networking is hard! Yes networking is hard As you mentioned in an earlier reply by default everything is blocked, you said this is only inbound. So this means that by default any device can ping, let's say Google, but there will be now reply as all inboung is blocked, am I right?. So if I don't want this device to establish a connection to a server/cloud on the internet and I cannot make a rule (inbound) for this device to the destination WAN. I will have to make a rule for each one of the 70 devices. This rule will be device=ip specific and let the device go everywhere, except the device I don't want to, then the default blocking rule will keep this device from establishing a connection. Hmmm 70 devices means 70 rules lot's of work to be done
|
|
qinn
Junior Member
Posts: 17
|
Post by qinn on Sept 30, 2015 16:18:46 GMT
It would have been easier if WAN was an option in the destination choices , although I would be (miss)using it for inbound. Why is there the option "WAN address" in source and destination, if there can't be entered anything in the address field? What is used for?
|
|
|
Post by Lee Sharp on Sept 30, 2015 23:56:35 GMT
I think you are confusing some things. So let me step back a bit...
First all firewall rules are sorted by interface, and they are inbound rules. If you want to block someone from going to the Internet on port 25 (keeping spam down) then you set up that rule on the LAN interface.
The default rule lets all traffic out on LAN. You can adjust this as needed, or set up some blocks before hand. For example, say you have a mail server that needs to send mail on port 25, but you want to black malware from poisening your IP address. (Common thing...) On LAN, you first need an Allow rule with source of the mail servers IP, port any, destination is any IP, port 25. Then you need a block rule for source any, any, destination any, port 25. Then the default rule. That way a e-mail going out from the mail server will hit the first rule, match and go. An infected PC trying to spam will hit the second ruls, and be blocked. Something not e-mail will hit the default rule and pass.
As to the default rule, your theory on ping is good, but not accurate. When you ping out, you open a temporary port that is NATed back to you, so they can respond.
Now the WAN Ip address is a setting because the WAN is sometimes DHCP, so we can not just type it in. That means "WAN Address" is actually whatever the current IP address on WAN is. It may be used for things like allowing something access to the firewall itself. Like allowing on the WAN source any, any, destination WAN Address, 443. That means you could see the GUI from anywhere. (Doing this may not be a good idea from a security standpoint. But it does make a nice honey-pot!)
Does that help?
|
|
qinn
Junior Member
Posts: 17
|
Post by qinn on Oct 1, 2015 15:33:47 GMT
Thnx Lee btw I am a M0n0wall user from the early days, 2001/2002 and it's great that you and Andrew have created your own fork!!
|
|
|
Post by Lee Sharp on Oct 2, 2015 0:07:45 GMT
Thanks! It will be interesting to see how it all shakes out.
|
|
qinn
Junior Member
Posts: 17
|
Post by qinn on Oct 2, 2015 8:13:14 GMT
|
|
|
Post by Lee Sharp on Oct 2, 2015 13:48:31 GMT
That is nice! But our SVN is self hosted. It is actually a mirror of the actual development SVN that you can not see without a VPN into the network. After commits, I rsync the dev VPN to the public one. Security. Bugs are just in the forum, so I guess I should make a bugs section... But, yes. Andrew and I stay in touch, and communicate bugs and patches. Sometimes publicly via the forums, and sometimes just via e-mail.
|
|