[quote="Chupaka"][quote="meverest"]The problem with that is that when the remote gateway is on that interface, a rule based on outbound interface only will effectively block access to internet as well
what gateway do you mean?.. if user talks to its segment - it cannot be filtered by firewall, if it's not wireless =)
what we are talking about here is like a wireless hotspot appliance router. The idea is that you plug the thing into some network, call it the private network. The hotspot appliance uses a dhcp client to get an address off that network, and then public access users on the wireless side can log on to the hotspot and access the internet. OK so far.
The problem, though, is that the wireless clients can also potentially access other hosts that are on the private network. What we need is to prevent wireless clients from accessing hosts on the public network but still can get access through the internet gateway on that private network.
If we knew in advance what is the subnet of the private network, we can easily use a forward filter with src-address='wireless network' dst-address='private network' action=drop
But until the device is plugged in and gets a dhcp address, we don't know what the subnet will be.
[quote="meverest"]Not only that, but will probably prevent even dhcp client from obtaining any address.[/quote]
local dhcp server is affected by 'output', not 'forward' chain[/quote]
I was actually thinking about the hotspot dhcp-client device getting address from the private network dhcp server, but good point! the same argument is true - thanks.