Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restrict traffic from second firewall

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 343 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      darkcorner
      last edited by darkcorner

      pfSense has two NICs for two DMZ.
      I'm managing DMZ1 and I create the rules.
      On the NIC for DMZ2 there is a direct cable to a second firewall in cascade managed by an external technician and on which I do not put my hands.
      All I have to do is turn port 4500 to this firewall.
      I would then leave everything open so that the rules are defined on the second firewall from the other technician.
      Instead I would put a rule that blocks access from DMZ2 to LAN and DMZ1.

      So I would
      In NAT / Port Forward

      • WAN interface
      • To: DMZ2 Second Firewall Address
      • Port: 4500

      In Rules / DMZ2

      • Block any From DMZ2 to LAN
      • Block any From DMZ2 to DMZ1
      • Block any From DMZ2 to Private Networks (RFC 1918)
      • Permit Any From Any to Any

      In this way, if I have not made mistakes, I block access to everything that does not concern the Internet or the network downstream of the second firewall.

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @darkcorner
        last edited by

        @darkcorner
        Since there is no other device on the DMZ2 NIC there is no need to state the specify the source in the block rules. Simply set it to "any", as already mentioned in the other tread.

        Presumed you use only RFC 1918 networks on LAN and DMZ1 there is no need for extra block rules. The RFC1918 block will cover all these networks.

        Permit Any From Any to Any

        Are you expecting other sources than DMZ2 subnet?
        In a pass rule stating the source would make sense to me, but possibly you have other requirements.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.