Firewalling LAN outbound traffic



  • Trying to better firewall some of our servers. Currently I only open ports inbound that I want exposed to the internet. The LAN traffic is unrestricted outbound. I'd like to lock down the outbound traffic and have a 1:1 relation.

    For example if I open ports 21, 80, 443 inbound to a single internal server how can I also set this up on the LAN side to only allow 21, 80, and 443 outbound?  I want to allow all outbound traffic from the LAN computers EXCEPT for the servers. I want the WAN and LAN ports for the servers to be identical and I'm struggling with how to allow all outbound traffic for the LAN users EXCEPT for the servers.

    Please help!

    Thanks



  • Create rules on the LAN interface.

    You can either create a rule that blocks the servers, or a rule that only allows the others out.

    Keep in mind that you must allow other ports out. For instance, FTP uses ports other than just 21. You also need to ensure that your servers can perform DNS lookups and optionally NTP. Don't forget to allow for security updates and anti-virus updates too!



  • I had played with the LAN rules and I think I'm getting tripped up with the default rule for LAN which is to allow all outbound. I'd like to keep that rule and then create new rules to allow certain ports and block all others. Not sure if I'm confused or if I have to get rid of that top level rule to allow all?

    I want to allow ALL traffic on the LAN for the general PCs but the servers I'd like to only allow certain ports. I tried creating a pass and deny rules and eve tried the "not" inverse functionality and am getting lost. If I can get this working once I'd be set, it's just trying to get over this hurdle….



  • The rules apply top down - if your top rule is a pass all rule then all the rules below are ignored.

    Create an alias for all the general PCs and then create a pass all rule for those as the source. Then create another set of rules to allow the ports you want servers to be allowed to use. With no default pass rule anything else will be blocked.


Locked