DMZ to LAN traffic is always allowed?!
-
HI
i've got a really stupid problem.Following situation:
1x LAN
1x OPT (DMZ)
1x WAN
See attachmentI can browse without problems from the DMZ to the LAN (RDP, SSH, etc). But there is no rule that allows that? Did I forget a hook somewhere?
Thanks for your help … P.S. If necessary I upload logs. You just have to say that ...
-
Hello. When I setup my DMZ interface I had to add two firewall rules on the DMZ interface to control access. The first rule explicitly blocked traffic from the DMZ to the internal Lan subnet:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP * * LAN net * * none DMZ LAN Block RuleThe second rule enables DMZ users to access the Internet:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
* DMZ net * ! LAN net * * none DMZ Internet Access RuleI hope this helps.
-
Thank you for the fast reply. I will try your solution as fast as possible and give you a feedback.
-
Hi
i have created a block rule like your example (see attachment). But nothing changed. The rule 149/0 let the traffic pass trough. How can i see which rule this is? Is there any shell tool?00:00:01.082706 rule 149/0(match): pass in on em1: 192.168.xx1.10.137 > 192.168.xx1.255.137: [|SMB]
00:00:00.797254 rule 149/0(match): pass in on em1: 192.168.xx1.10.57310 > 192.168.xx2.4.53: [|domain]
00:00:00.272080 rule 140/0(match): pass in on em1: 192.168.xx1.10.5203 > 192.168.xx2.18.445: [|tcp]
00:00:00.004744 rule 140/0(match): pass in on em1: 192.168.xx1.10.5204 > 192.168.xx2.18.445: [|tcp]
-
Move the bottom block rule to above the allow rules. You will get the result you are looking for. Your allow rules are before the block rule. The first match wins for PASS rules.
EDIT: You are still allowing access to LANBLUE though unless you put a block in for that too.