DMZ
-
So, this better?
-
I suspect not, if your pfSense DMZ interface is part of RFC1918. Why not get rid of your last two rules and then just copy my last rule?
-
Well, I have many subnets… I guess I could block them all, but wont that be the same as I currently have?
-
Here's what i ended up with:
-
Still no good. Your 4th rule allows all access to anywhere. Delete it entirely.
-
You have lots of "allow BUT" rules, the ones with "!". Doesn't make sense.
Either make them block that range OR make them allow it but NOT "allow all but…" -
@KOM:
… just copy my last rule?
Problem is that it works but is harder to follow than need be.
Blocking something with an allow rule seems … strange.Better use one rule first to explicitly block * to LAN
Add another rule to allow * to world. -
-
-
It does.
Don't know what problems KOM had with it, I'd do it that way. -
It does.
Don't know what problems KOM had with it, I'd do it that way.Great! That is why I was confused. I'll try that.
Thanks everyone.
-
Your first ruleset allowed access everywhere before the LAN block. Your second ruleset has you blocking all private IP space and not just LAN. Your 3rd ruleset allowed everything before the blocks.
Second ruleset would do the job but the block is overly broad, and this can potentially impact you down the road if you add any interfaces or VLANs.
-
@KOM:
Your first ruleset allowed access everywhere before the LAN block. Your second ruleset has you blocking all private IP space and not just LAN. Your 3rd ruleset allowed everything before the blocks.
Second ruleset would do the job but the block is overly broad, and this can potentially impact you down the road if you add any interfaces or VLANs.
How so? The DMZ shouldn't have access to any other VLANS/interfaces.
-
How so? The DMZ shouldn't have access to any other VLANS/interfaces.
Sure, until you add one for some reason and then need access from DMZ to LAN (for custom DNS, for example) and can't figure out why things aren't working. If you only have the LAN and DMZ then you could just as easily used LAN net instead of your RFC1918 alias.
-
-
No need to complicate things with what could happen in the future. KISS.
Precisely, which is why when you want to block access specifically to LAN, you block access to that LAN's subnet and not all of RFC1918 space. Right now, he's got 5 subnets with a total of ~1200 addresses being handled by a blockrule that targets ~18 million addresses. While I also hang my hat on KISS, I fail to see how using an RFC alias with 18 million addresses is easier than just using LAN net or ! local net.
-
This way, I have one rule that will cover anything I make in the future. If I were to specifically cover each subnet that would mean every time I add a VLAN or subnet I have to worry about forgetting to block it. I would much rather play it safe with a single rule and selectively whitelist anything I want through the firewall. How is it complicated?
If I have a VLAN that I want to be able to access something in the DMZ, I just make to single rule for that IP or network, which is what i've currently done. It's much safer to whitelist everything I want to let through then blacklist everything I want blocked anyway.
Yes, either way would work but I think I prefer this way. Thanks for the help.
-
How is it complicated?
It just depends on your point of view and how you work, that's all. Both methods will work. For me, I would never forget to secure a newly-added subnet, but I might easily forget that I blocked all of private IP space in a blockrule made potentially months or years ago.
I'm glad you have it working the way you want.
