Firewall Rules Structure Question

  • Regarding firewall rules, I would like to set up types of VLANs:
    LAN acccess only with whitelist
    WAN access only with whitelist
    LAN and WAN

    I've figured out how to block specific IP's from WAN in the LAN firewall rules, but I haven't figured out how to add a "block all WAN" and have an "allow this alias" access to WAN.
    Also, I cannot figure out how to block LAN access at all. Any suggesstions?

    I'm thinking of how to do this the best way:
    The aliases will have the VLAN subnets in them.

    VLAN10 - LAN acccess only with whitelist:
    Allow "alias10" LAN access
    Block all WAN access
    Block all LAN access

    VLAN20 - WAN access only with whitelist:
    Allow "alias20" WAN access
    Block all WAN access
    Block all LAN access

    VLAN30 - LAN and WAN:
    This one will be trusted so Allow all is fine.

  • Is there an implicit deny that's invisible on the interfaces already?

  • LAYER 8 Global Moderator

    Yes all interface have a default deny.. That is not shown in the gui..  There has been discussion of allowing this to be shown in the gui..  But its a given that if no allow rule then traffic is deny..

    You might place a specific deny on the interface to deny stuff you don't want logged by the default deny, etc.  Or if you just like to see it when looking at you rules.

Log in to reply