Advanced Configuration - Firewall Rules, Continued
A very important factor we haven't considered yet is the order of the rules. To illustrate this, consider a rule on the WAN interface to allow FTP traffic on port 21 to my internal server. If I added this rule after the rule blocking all traffic, packets would match the "block all" rule first and would therefore always be blocked. For the FTP rule to be executed, it must be placed above (i.e. before) the rule blocking all traffic.
Note that I have put the rules for blocking all packets in just for clarity and as good practice for debugging purposes.The firewall would block unmatched packets anyway by default. Note also that it is easy to change the order of rules by using the up and down arrows next to each rule. When you are happy with any changes, just click the Apply Changes button to save them.
Figure 7: Firewall Rule Edit Page
(click on the image for a larger view)
The screen for editing rules is also quite clear and straight forward. Figure 7 shows the rule for allowing MS Terminal Server traffic entering on the WAN interface to an internal server. You will notice that the source and destination specify the address as JPNET1 and POWERDGE respectively, rather than an IP address or network such as 192.168.55.6. This is another feature of m0n0wall called aliases. Aliases are a convenient way of giving an IP address or subnet a more identifiable name that can be used in place of the IP address or subnet in rules and other areas of m0n0wall.
In addition to providing a more readable reference to an IP address, the alias feature eliminates the need to update firewall rules in the event that IP addresses change. For example, if your ISP updated your WAN IP address, you would only need to enter your new IP address in the alias entry. All firewall rules that referenced the alias would then reflect the change of address automatically.