Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN Reviews

Advanced Configuration - Firewall Rules

Figure 6 shows m0n0wall's firewall rule interface. Rules are executed on a first match basis, i.e. the rule to first match a packet will be executed. To provide maximum security, m0n0wall will block all traffic unless it is explicitly allowed by a matching firewall rule. As a convenience in its default configuration, there is a single rule allowing all traffic originating at the LAN interface. 

Firewall Rules Admin Page

Figure 6: Firewall Rules Admin Page (click on the image for a larger view)

The default LAN interface rule is the rule at the bottom of the screen. The rules above it are used to block NetBIOS type traffic from leaving the local network. In this scenario, as packet passes in on the LAN interface, it is checked to make sure it doesn't have a target TCP port of 137-139 by the first rule, 135 by the second and 445 by the third. The final rule explicitly allows all packets that reach this rule to pass.

This means a packet with a port 80 (http) as a target will not match the first three rules to be blocked, but will match the final rule and be allowed to pass. The final rule is very important, as it allows all packets to pass that aren't blocked by a previous rule. If this rule were not present, all packets would be blocked by the firewall's default behaviour. 

To clarify how the firewall rules work further, let's look at the rules at the top of the screen for packets entering on the WAN (Internet) interface. The bottom "catch all"' rule blocks previously unmatched packets and the rules above it allow packets that meet the criteria of the rule to pass.

The rules above the bottom "catch all" rule allow (in order):

  • Windows Terminal Services traffic on TCP port 3389 from a specific network (JPNET) to my internal server "homer"
  • HTTPs traffic on TCP port 443 from JPNET to the WAN IP address of my m0n0wall to allow remote administration
  • HTTP traffic on TCP port 80 from JPNET to the WAN IP address of my m0n0wall to allow remote administration
  • HTTPs traffic on TCP port 443 from any Internet address to "homer"
  • HTTP traffic on TCP port 80 from any Internet address to "homer"
  • SMTP traffic on TCP port 25 from any Internet address to "homer"

All other traffic is blocked by m0n0wall's default WAN Interface rule.

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

For reasons not important here, I have both Xfinity and FiOS connetions active at my house. (The FiOS will be the only permanent one, Xfinity goes awa...
Whenever I try to update/upgrade opkg I'm getting the following response:Code: admin@RT-AC68U-08B0:/usr/lib# opkg updateDownloading http://bin.entwar...
My post relates to an issue with ASUS AiMesh and 2.4GHz clients.I have configured a Blue Cave as the AiMesh router and 2x RT-AC68U's as AiMesh nodes. ...
Several times per day my AC-58U refuses to work on the 5GHz band.Looking at the system log I can see the following repeating 50-100 times:Jul 14 12:59...
Hi,Got the mesh system setup and tweaked the settings and wanted to test the masternode connection speed.I tried to ssh but there's no iPerf on neithe...

Don't Miss These

  • 1
  • 2
  • 3