Help with rules from DMZ to Internet with limited LAN access



  • Hello everyone!
    I have a computer (anti-spam) on my DMZ, exposed to the internet with a NAT on one of my WANs.
    I have a working rule that allows you to communicate with two IP addresses on my LAN and nothing else. So far, so good.
    Now, I need that computer to be able to connect to the Internet, but not to the rest of my LAN.
    If I set up a DMZ to any rule it connects to the internet but also to the entire LAN.
    How and where do you recommend that I set up the rules to communicate to the Internet and only to the IP addresses of my LAN that I tell you?
    Thank you very much for any hint!
    Warm greetings

    Gabriel



  • Add a rule that denies access to the LAN from this machine, and have it processed before the allow all rule?


  • Galactic Empire

    @Derek:

    Add a rule that denies access to the LAN from this machine, and have it processed before the allow all rule?

    ^^ this

    Check out the attached screenshot, replace TEST net with DMZ net, g_ip_local contains my local IP addresses.




  • @NogBadTheBad:

    @Derek:

    Add a rule that denies access to the LAN from this machine, and have it processed before the allow all rule?

    ^^ this

    Check out the attached screenshot, replace TEST net with DMZ net, g_ip_local contains my local IP addresses.

    Thank you very much for the tip! I'm gonna try it and then come back and tell you how it went.
    Best regards!



  • I might add that a nice approach is to generate an alias with the whole RFC1918 networks and explicitly block connections from DMZ to this alias before the allow to internet rule


Log in to reply