Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Keeping new interface from the others

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      TomBodet
      last edited by

      I have 4 interfaces: LAN, WAN, DMZ and DMZSFTP

      DMZSFTP is 192.168.10.0 /24
      All the other interfaces (besides WAN) are of a 192.168.x.x scheme.

      I have an allow rule under DMZSFTP that states any port, any protocol, source is network 192.168.10.0 /24, destination is NOT network 192.168.0.0 /16.  It is the very first rule in the list.

      In other words, I'd like the interface to be allowed to go anywhere that isn't a 192.168 address which should translate to WAN only yet I can ssh to a private IP in the DMZ.

      I always struggle with this as it's backwards from how I'm used to thinking about it.  I've been able to add specific blocks for each network to stop the cross over but I thought having the NOT rule would be an implied block.

      The end result I'm looking for is to allow servers on the DMZSFTP interface get out to push files but make damn sure they can't get anywhere else.  What's the right way to do this?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • J Offline
        jrmitchell83
        last edited by

        I have similar questions. We frequently add new interfaces/vlans and some are a type of LAN and others are internet access only.

        I feel like it's a management nightmare to juggle and I really wish there was a better way of setting a rule for "internet access only" or straight out access. Having to create a rule to allow ALL except for the networks specified in aliases leaves a huge margin for OOOPS I accidentally allowed access to all my LANS.

        What are others doing to clearly separate LAN and internet only/dmz traffic?

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          Having any kind of automation or shortcuts is never going to satisfy everyone. The scenarios for this kind of setup vary quite a bit.

          The best thing to do is to have explicit rules stating what you want them to be able to do and not do. This can be made easier if you make an rfc1918 alias containing (192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8), then:

          pass from (this network) to (this network)
          block from (this network) to rfc1918
          pass from (this network) to any

          Only downside of that is they can reach anything on the firewall on that segment, but you can toss a couple rules at the top of that to narrow it down:
          pass from (this network) to (firewall's ip on that network) on whatever ports you want, probably at least tcp/udp 53.
          block from (this network) to (firewall's ip)

          Alternately, toss all that, and use floating rules to block "out" quick on the other interfaces from the networks you don't want to get there.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.