2.0.3: Single rule allowing only external traffic?
Is there any simple way to create single rule for allowing traffic from local subnet only to Internet? I've about 10 interfaces and often adding/removing several temporary subnets - I'd like to have one rule to allowing users from all local subnets initiate connections to the Internet, but I want to block communication between nearly all local subnets w/o creating dedicated rule for each combination I want to block.
Is there any dynamic list of local subnets I can use to block traffic into? Or have I create block rule for each combination of local subnets I want no to communicate each other?
Hopefuly my question is clear ;)
I would try this (someone should confirm):
Create an alias for all RFC1918 subnets.
Add a single rule in the floating table:
allow all from rfc1918_alias to !rfc1918_alias
and select all your lan interfaces in that rule
Create another alias with all the subnets that are allowed to communicate.
Above the rule given above add this rule:
allow any from allowedLANS_alias to allowedLANS_alias
again, select all the lan interfaces in that rule.
I've already tried the first way you mentioned - it seems to be working, but I was wondering if there is some more "systemic" way… :)