Advanced Configuration - Firewall Rules
Figure 6 shows m0n0wall's firewall rule interface. Rules are executed on a first match basis, i.e. the rule to first match a packet will be executed. To provide maximum security, m0n0wall will block all traffic unless it is explicitly allowed by a matching firewall rule. As a convenience in its default configuration, there is a single rule allowing all traffic originating at the LAN interface.
Figure 6: Firewall Rules Admin Page (click on the image for a larger view)
The default LAN interface rule is the rule at the bottom of the screen. The rules above it are used to block NetBIOS type traffic from leaving the local network. In this scenario, as packet passes in on the LAN interface, it is checked to make sure it doesn't have a target TCP port of 137-139 by the first rule, 135 by the second and 445 by the third. The final rule explicitly allows all packets that reach this rule to pass.
This means a packet with a port 80 (http) as a target will not match the first three rules to be blocked, but will match the final rule and be allowed to pass. The final rule is very important, as it allows all packets to pass that aren't blocked by a previous rule. If this rule were not present, all packets would be blocked by the firewall's default behaviour.
To clarify how the firewall rules work further, let's look at the rules at the top of the screen for packets entering on the WAN (Internet) interface. The bottom "catch all"' rule blocks previously unmatched packets and the rules above it allow packets that meet the criteria of the rule to pass.
The rules above the bottom "catch all" rule allow (in order):
- Windows Terminal Services traffic on TCP port 3389 from a specific network (JPNET) to my internal server "homer"
- HTTPs traffic on TCP port 443 from JPNET to the WAN IP address of my m0n0wall to allow remote administration
- HTTP traffic on TCP port 80 from JPNET to the WAN IP address of my m0n0wall to allow remote administration
- HTTPs traffic on TCP port 443 from any Internet address to "homer"
- HTTP traffic on TCP port 80 from any Internet address to "homer"
- SMTP traffic on TCP port 25 from any Internet address to "homer"
All other traffic is blocked by m0n0wall's default WAN Interface rule.