2.0.3: Single rule allowing only external traffic?



  • Hi all,

    Is there any simple way to create single rule for allowing traffic from local subnet only to Internet? I've about 10 interfaces and often adding/removing several temporary subnets - I'd like to have one rule to allowing users from all local subnets initiate connections to the Internet, but I want to block communication between nearly all local subnets w/o creating dedicated rule for each combination I want to block.

    Is there any dynamic list of local subnets I can use to block traffic into? Or have I create block rule for each combination of local subnets I want no to communicate each other?

    Hopefuly my question is clear ;)

    Thanks!
    -tt-



  • I would try this (someone should confirm):
    Create an alias for all RFC1918 subnets.
    Add a single rule in the floating table:
    allow all from rfc1918_alias to !rfc1918_alias
    and select all your lan interfaces in that rule



  • Create another alias with all the subnets that are allowed to communicate.
    Above the rule given above add this rule:
    allow any from allowedLANS_alias to allowedLANS_alias
    again, select all the lan interfaces in that rule.
    ;)



  • Thanks, senser!

    I've already tried the first way you mentioned - it seems to be working, but I was wondering if there is some more "systemic" way… :)


Log in to reply