Access only to the Internet and not to the DMZ. How to do?
-
How do I address the rules only on the Internet and not on LAN or DMZ?
For example, Ping on everything on the Internet and only this.- LAN interface
- Protocol: TCP - ICMP / Echo request
- From: LAN Net
- To: Any
But, in this way I can also PING on what is in the DMZ and I don't want to allow this.
If I use WAN Net I refer instead to what is between the router and the pfSense NIC WAN.I gave the example of PING, but it could be a Web access, FTP, or any other type. I want a PC to be able to do this by going to the Internet, but not to internal servers.
The only way I can conceive is to make a rule towards everything and immediately after a rule that blocks towards the DMZ, but I would have to duplicate practically everything.
-
@darkcorner
When you're are using IPv4 private networks inside, best practice is to add an RFC 1918 alias as described here: https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.htmlThen edit your pass rule, at destination check "invert", select alias and enter the alias name.
So this rule allows any destination, but the networks stated in the alias.You may also add a block rule with the alias at the top of your rule set instead.
However, consider that this still enables access to pfSense public WAN IP. To block that you can add a block with "This firewall" as destination.
-
@darkcorner said in Access only to the Internet and not to the DMZ. How to do?:
But, in this way I can also PING on what is in the DMZ and I don't want to allow this.
Youl'll need to create a block rule on the LAN like this:
LAN interface
Protocol: TCP - ICMP / Echo request
From: LAN Net
To: DMZ NetThen place it immediately above the allow rule you created.
-
I'm testing your suggestions tomorrow.
Meanwhile, now I do a first global configuration -
@dma_pf said in Access only to the Internet and not to the DMZ. How to do?:
Youl'll need to create a block rule on the LAN like this:
LAN interface
Protocol: TCP - ICMP / Echo request
From: LAN Net
To: DMZ NetFor general blocking, it will be more secure to set the source to "any". Can't see any sense to state the subnet here at all.