Firewall rules (& Vlans)



  • This is mainly just for learning purposes and me experimenting while trying to get my head around how these things work.

    I have two VLANs, 10 and 20, both with a different PC on them. On V10 & V20 for testing I have an allow all rule and can ping from both V10 and V20 to each other.

    On V20 I have added rule blocking all to destination V10. When pinging from V20 I can not reach V10 (as expected). On V20 adding a rule block all with source as V20 I am also unable to ping from V20 (as expected).

    The bit I am tying to get my head around is that rules are made by the "incoming" interface. If I do a rule on V20 that states block all with the source as "V10 net", the computer on V10 is still able to ping V20 successfully.

    When it says incoming interface, does this mean to basically make V20 "unpingable" from outside, I need make a rule on V10 (and any other interface) stating block destination V20? As in am I understanding this correctly - with the situation above - V10 is the "incoming interface" which initiates a connection/state with V20?

    Also, I dont quite understand how it then applies to external internet access. For example, I know from the above I can make a rule on V20 stopping LAN computers accessing the internet i.e block all except LAN computers, but on this firewalling theory how to do stop external access - as show as above with V10 still able to ping V20 even with a "block all" rule on V20. I can access everyone elses firewall to stop pinging V20!!

    Also - why do people always change the source when blocking traffic from that interface ie. source "V20 net" on the V20 interace, why not "any", as surely all traffic on the V20 interface will be from V20 net


  • Netgate

    If you want to block connections from V10 to someplace, you block it with a rule on V10. That's where the connection enters (is incoming) from the firewall's perspective.

    You stop inbound access on WAN with rules on WAN. You only pass that which you want to pass. Everything else is blocked.