Rules to restrict traffic to other interfaces
-
Hi,
i now have a Fortigate and there is the nice feature, that i can add rules which applies to a special direction, eg from one interface to another.
For example, i can add some rule in the section "internal -> wan" or "internal -> dmz".Is this also possible with the pfSense?
I have the problem, that if i want to grant some clients access from lan to wan (allow from lan to any) it is also possible, that they can breake out and can access some servers in the other subnets (with different interfaces, for example opt1).
I have to explicity deny every subnet i have in my other interfaces, which might lead to some faults (forget to add some subnets etc...)
It is possible, that i can add rules (lan any any) that it only applies to the direction lan->wan?
Thank you for helping
-
You only need 2 rules to accomplish this.
1 - create an alias and put all of your VLAN/subsets in here.
2 - the first firewall rule is a block for the LAN network to the alias you just created.
3 - the second firewall rule is an allow LAN to any.
That’s it. If you forget to add a subnet to the alias list, that’s on you. This is a very powerful firewall product, you have to manage it like one.
Jeff
-
@akuma1x said in Rules to restrict traffic to other interfaces:
1 - create an alias and put all of your VLAN/subsets in here.
Easier to just create a rfc1918 alias that has all of the networks in it.. Now its not possible to miss or add a vlan that is not included. Unless your using non rf1918 vlans locally?
-
@johnpoz - I guess there could be a chance. Like the guy that posted recently about using 7.7.7.X and 8.8.8.X or something similar on his LAN interfaces.
Jeff
-
Well there is no stopping stupid ;)
