Restrict traffic from second firewall
-
pfSense has two NICs for two DMZ.
I'm managing DMZ1 and I create the rules.
On the NIC for DMZ2 there is a direct cable to a second firewall in cascade managed by an external technician and on which I do not put my hands.
All I have to do is turn port 4500 to this firewall.
I would then leave everything open so that the rules are defined on the second firewall from the other technician.
Instead I would put a rule that blocks access from DMZ2 to LAN and DMZ1.So I would
In NAT / Port Forward- WAN interface
- To: DMZ2 Second Firewall Address
- Port: 4500
In Rules / DMZ2
- Block any From DMZ2 to LAN
- Block any From DMZ2 to DMZ1
- Block any From DMZ2 to Private Networks (RFC 1918)
- Permit Any From Any to Any
In this way, if I have not made mistakes, I block access to everything that does not concern the Internet or the network downstream of the second firewall.
-
@darkcorner
Since there is no other device on the DMZ2 NIC there is no need to state the specify the source in the block rules. Simply set it to "any", as already mentioned in the other tread.Presumed you use only RFC 1918 networks on LAN and DMZ1 there is no need for extra block rules. The RFC1918 block will cover all these networks.
Permit Any From Any to Any
Are you expecting other sources than DMZ2 subnet?
In a pass rule stating the source would make sense to me, but possibly you have other requirements.