Can't block non-whitelist hosts from access to LAN
-
Hi,
I have an alias LAN_WHITELIST with computers that can access LAN resources. For the others I would like to do only internet access. However, for some reason the blocking rule for !LAN_WHITELIST to INTERNAL_LAN (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) does not block this access to LAN servers.
My rule set looks like this:Could I please get some help?
EDIT: May it be that the traffic doesn't go via router, so I can't block it with firewall rules? All hosts and servers are in the same local network.
-
@dansci
Firewall rules are probed for matching parameters one by one from the top of the rule set to the bottom. If any match it is applied and all others below are ignored.In your rules set there is a pass rule for LAN_WHITELIST to INTERNAL_LAN in the second position above of the block rule in question. Hence this access is passed.
Not clear at all why you have a pass and a block rule for the same networks. But if you want the block rule to take effect move it to the top of the rule set.
-
You cannot block local hosts from communicating with other local hosts on the same network segment with a firewall rule. That's because traffic from host-to-host within the same network segment bypasses the firewall. It flows directly from the switch port of the "source host" to the switch port of the "destination host" solely within the switch fabric. The firewall never sees the traffic.
As has been mentioned here many times in the past, this is a very common misconception that new firewall admins frequently have.
-
@viragomann @bmeeks thanks for your answers. So now I'm going to configure VLANs, seems to be more suitable solution.