Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN Reviews

Advanced Configuration - Firewall Rules

Figure 6 shows m0n0wall's firewall rule interface. Rules are executed on a first match basis, i.e. the rule to first match a packet will be executed. To provide maximum security, m0n0wall will block all traffic unless it is explicitly allowed by a matching firewall rule. As a convenience in its default configuration, there is a single rule allowing all traffic originating at the LAN interface. 

Firewall Rules Admin Page

Figure 6: Firewall Rules Admin Page (click on the image for a larger view)

The default LAN interface rule is the rule at the bottom of the screen. The rules above it are used to block NetBIOS type traffic from leaving the local network. In this scenario, as packet passes in on the LAN interface, it is checked to make sure it doesn't have a target TCP port of 137-139 by the first rule, 135 by the second and 445 by the third. The final rule explicitly allows all packets that reach this rule to pass.

This means a packet with a port 80 (http) as a target will not match the first three rules to be blocked, but will match the final rule and be allowed to pass. The final rule is very important, as it allows all packets to pass that aren't blocked by a previous rule. If this rule were not present, all packets would be blocked by the firewall's default behaviour. 

To clarify how the firewall rules work further, let's look at the rules at the top of the screen for packets entering on the WAN (Internet) interface. The bottom "catch all"' rule blocks previously unmatched packets and the rules above it allow packets that meet the criteria of the rule to pass.

The rules above the bottom "catch all" rule allow (in order):

  • Windows Terminal Services traffic on TCP port 3389 from a specific network (JPNET) to my internal server "homer"
  • HTTPs traffic on TCP port 443 from JPNET to the WAN IP address of my m0n0wall to allow remote administration
  • HTTP traffic on TCP port 80 from JPNET to the WAN IP address of my m0n0wall to allow remote administration
  • HTTPs traffic on TCP port 443 from any Internet address to "homer"
  • HTTP traffic on TCP port 80 from any Internet address to "homer"
  • SMTP traffic on TCP port 25 from any Internet address to "homer"

All other traffic is blocked by m0n0wall's default WAN Interface rule.

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

This thread is for the discussion topic : unbound_manager script. As per the GitHub Hints/Tips: Differences between the operational modes​ E...
Hi,I'm about to setup a Xioami button that upon click should enable disable a VPN Client on the router settings. I use an IPTV server that at times ge...
Continuation of. . .https://www.snbforums.com/threads/custom-firmware-build-for-r7800-v-1-0-2-78sf.64890/https://www.snbforums.com/threads/custom-firm...
Hi all, I'm hoping someone can help. My Google Wifi (GW) mesh performance has slowed ton a crawl lately. Even with all the pucks in the same room, I w...
I read in another thread that updating to a newer firmware fixed the issue, which seems to be that dnsomatic switched to https only updating. In the l...

Don't Miss These

  • 1
  • 2
  • 3