Floating Fire Wall Rule Advice



  • Here is what I am hoping to achieve:
    1. Allow all subnets to communicate with WAN in/out
    2. Prevent all subnets from communicating with each other
    3. Allow all subnets to access a specific port range within 1 subnet

    Is this better accomplished by floating rules or by a set of rules on each subnet?

    Still new and a bit confused. Thank you for the help and advice!



  • I would use rules on each interface, but then I'm only dealing with a typical maximum of 3-4.  The rules you require are pretty simple.



  • In this case I would be dealing with abut 4 interfaces as well. Would this be the most efficient in terms of processor resources or is that negligible at this point?



  • Would this be the most efficient in terms of processor resources or is that negligible at this point?

    Negligible.



  • Also, make sure your block rules are above your allow rules.  Non floating firewall rules are processed from the top down on the interface the packet arrives in to.  First rule that applies to a packet "wins" and performs the action on the packet.



  • Does this mean a blanket block all traffic to all other subnets above an allow all traffic to and from WAN will operate the way I am looking for (allowing WAN traffic exclusively). I suppose if so then the other rule allowing traffic to the alias for specific traffic to one subnet will then just go below that rule.



  • Pretty much.  Bear in mind that there is already an invisible Default Deny rule that you can imagine being at the bottom of the list.  Only your first LAN interface gets an auto-rule that allows outgoing access.  All other internal interfaces are dead until you add something.



  • Ok so what I am thinking is a rule that looks like this:

    For the Blocking
    • Action: Block
    • Interface: Interface we are on
    • TCP/IP Version: IPV4 + IPV6
    • Protocol:  TCP/UDP
    • Source: Network – Whichever Subnet we are on
    • Destination:  Check Not – Network – Whichever Subnet we are on
    • Destination Port Range: Any

    For the WAN
    • Action: Pass
    • Interface: Network – Whichever Subnet we are on
    • TCP/IP Version: IPV4 + IPV6
    • Protocol: Any
    • Source: Network – Whichever Subnet we are on
    • Destination:  WAN
    • Destination Port Range:  Any

    For the Allowed to the single Subnet
    • Action: Pass
    • Interface: Whichever Subnet we are on
    • TCP/IP Version:  IPV4 + IPV6
    • Protocol: Any
    • Source:  Network – whichever Subnet we are on
    • Destination:  Alias – An Alias containing the ports I need access to on that IP/Subnet
    • Destination Port Range: ?

    In that order basically duplicated for each subnet.



  • Rules only affect what is coming into an interface so you don't need a WAN rule.



  • Ah, so to block everything coming in I would want something like this:

    For the Blocking
    •  Action: Block
    •  Interface: Interface we are on
    •  TCP/IP Version: IPV4 + IPV6       
    •  Protocol:  TCP/UDP
    •  Source: Network – Everything Except WAN
    •  Destination:  Network - The subnet we are on
    •  Destination Port Range: Any

    Does this mean for the subnet that has a few connections allowed to it from other subnets the generic block all rule should go below the rule allowing the specific traffic I would like in?



  • Edit:  I wrote this while you were posting your last reply to KOM…

    No, those rules won't do what you want.  The first rule will block all access  to the internet.

    Create an alias for your block list and include all the subnets of your different interfaces.

    Set up the rules to like this:

    Set up the specific subnet to subnet allow rule at the top of the list.

    second rule:
    For the Blocking
    •  Action: Block
    •  Interface: Interface we are on
    •  TCP/IP Version: IPV4 + IPV6       
    •  Protocol:  any
    •  Source: Network – interface net
    •  Destination:  Alias of all your local subnets
    •  Destination Port Range: Any

    Third rule in the list:
    Add a rule then to allow all everywhere
    •  Action: Allow
    •  Interface: Interface we are on
    •  TCP/IP Version: IPV4 + IPV6       
    •  Protocol:  any
    •  Source: Network – interface net
    •  Destination:  any
    •  Destination Port Range: Any



  • the generic block all rule should go below the rule allowing the specific traffic I would like in?

    Yes.  Rules are processed top-down, so put your Allow rules before your Deny rules.



  • @KOM:

    the generic block all rule should go below the rule allowing the specific traffic I would like in?

    Yes.  Rules are processed top-down, so put your Allow rules before your Deny rules.

    Picture a pyramid–pinpoint on the top, wide base at the bottom.  For the most part, arrange your rules like a pyramid.
    The more specific a firewall rule is, the higher it should be in the list.  The more general it is, the lower it should go. 
    The first rule that matches a packet disposes of that packet, and subsequent rules won't touch it.



  • Ah I see, I think I've got them configured properly now. Thank you Almabes and KOM for all of your help!


Log in to reply