Keeping new interface from the others



  • I have 4 interfaces: LAN, WAN, DMZ and DMZSFTP

    DMZSFTP is 192.168.10.0 /24
    All the other interfaces (besides WAN) are of a 192.168.x.x scheme.

    I have an allow rule under DMZSFTP that states any port, any protocol, source is network 192.168.10.0 /24, destination is NOT network 192.168.0.0 /16.  It is the very first rule in the list.

    In other words, I'd like the interface to be allowed to go anywhere that isn't a 192.168 address which should translate to WAN only yet I can ssh to a private IP in the DMZ.

    I always struggle with this as it's backwards from how I'm used to thinking about it.  I've been able to add specific blocks for each network to stop the cross over but I thought having the NOT rule would be an implied block.

    The end result I'm looking for is to allow servers on the DMZSFTP interface get out to push files but make damn sure they can't get anywhere else.  What's the right way to do this?

    Thanks.



  • I have similar questions. We frequently add new interfaces/vlans and some are a type of LAN and others are internet access only.

    I feel like it's a management nightmare to juggle and I really wish there was a better way of setting a rule for "internet access only" or straight out access. Having to create a rule to allow ALL except for the networks specified in aliases leaves a huge margin for OOOPS I accidentally allowed access to all my LANS.

    What are others doing to clearly separate LAN and internet only/dmz traffic?


  • Rebel Alliance Developer Netgate

    Having any kind of automation or shortcuts is never going to satisfy everyone. The scenarios for this kind of setup vary quite a bit.

    The best thing to do is to have explicit rules stating what you want them to be able to do and not do. This can be made easier if you make an rfc1918 alias containing (192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8), then:

    pass from (this network) to (this network)
    block from (this network) to rfc1918
    pass from (this network) to any

    Only downside of that is they can reach anything on the firewall on that segment, but you can toss a couple rules at the top of that to narrow it down:
    pass from (this network) to (firewall's ip on that network) on whatever ports you want, probably at least tcp/udp 53.
    block from (this network) to (firewall's ip)

    Alternately, toss all that, and use floating rules to block "out" quick on the other interfaces from the networks you don't want to get there.


Log in to reply