Firewall Rules Structure Question

  • Regarding firewall rules, I would like to set up types of VLANs:
    LAN acccess only with whitelist
    WAN access only with whitelist
    LAN and WAN

    I've figured out how to block specific IP's from WAN in the LAN firewall rules, but I haven't figured out how to add a "block all WAN" and have an "allow this alias" access to WAN.
    Also, I cannot figure out how to block LAN access at all. Any suggesstions?

    I'm thinking of how to do this the best way:
    The aliases will have the VLAN subnets in them.

    VLAN10 - LAN acccess only with whitelist:
    Allow "alias10" LAN access
    Block all WAN access
    Block all LAN access

    VLAN20 - WAN access only with whitelist:
    Allow "alias20" WAN access
    Block all WAN access
    Block all LAN access

    VLAN30 - LAN and WAN:
    This one will be trusted so Allow all is fine.

  • Is there an implicit deny that's invisible on the interfaces already?

  • LAYER 8 Global Moderator

    Yes all interface have a default deny.. That is not shown in the gui..  There has been discussion of allowing this to be shown in the gui..  But its a given that if no allow rule then traffic is deny..

    You might place a specific deny on the interface to deny stuff you don't want logged by the default deny, etc.  Or if you just like to see it when looking at you rules.