Help with rules from DMZ to Internet with limited LAN access



  • Hello everyone!
    I have a computer (anti-spam) on my DMZ, exposed to the internet with a NAT on one of my WANs.
    I have a working rule that allows you to communicate with two IP addresses on my LAN and nothing else. So far, so good.
    Now, I need that computer to be able to connect to the Internet, but not to the rest of my LAN.
    If I set up a DMZ to any rule it connects to the internet but also to the entire LAN.
    How and where do you recommend that I set up the rules to communicate to the Internet and only to the IP addresses of my LAN that I tell you?
    Thank you very much for any hint!
    Warm greetings

    Gabriel



  • Add a rule that denies access to the LAN from this machine, and have it processed before the allow all rule?


  • Galactic Empire

    @Derek:

    Add a rule that denies access to the LAN from this machine, and have it processed before the allow all rule?

    ^^ this

    Check out the attached screenshot, replace TEST net with DMZ net, g_ip_local contains my local IP addresses.




  • @NogBadTheBad:

    @Derek:

    Add a rule that denies access to the LAN from this machine, and have it processed before the allow all rule?

    ^^ this

    Check out the attached screenshot, replace TEST net with DMZ net, g_ip_local contains my local IP addresses.

    Thank you very much for the tip! I'm gonna try it and then come back and tell you how it went.
    Best regards!



  • I might add that a nice approach is to generate an alias with the whole RFC1918 networks and explicitly block connections from DMZ to this alias before the allow to internet rule