I have a rule where I block traffic on my DMZ interface to all interfaces but WAN. I am testing it by running the command "ping google.com" from the DMZ network.
I see in the firewall log that the destination for the ping command is listed as "den02s01-in-f14.1e100.net" (a Google server) which should be routed through WAN (my service provider). My destination in the rule is "! WAN address". Am I misunderstanding this rule?
I may run wireshark or fiddler to see what is happening with the rule disabled but I wanted to run it past the smart crowd first to be sure I was not missing anything.
ProtoSourcePortDestinationPortDescription BLOCKTCP DMZ net *! WAN address*Block DMZ traffic to all but WAN PASSTCPDMZ net *WAN address* Permit DMZ to only WAN
That is not the proper way to do it. You are allowing access to the WAN address, not the Internet. You need a block rule at the top for your local networks and an allow all similar to the default rule after. Here is an example at a client... Note that the first 4 lines are bloick rules. Only the last line is pass.
Proto Source Port Destination Port Description * * * LAN net * Block LAN Access * * * LAN2 net * Block LAN2 Access * * * Storage net * Block Storage Access TCP/UDP WiFi net * * 25 (SMTP 25) Block Outbound email * WiFi net * * * Default WiFI -> any
I usually use the same approach. E.G. block all networks and then a default allow any rule. I was hoping the !WAN rule would create a shortcut but doesn't work as I had hoped. Even the following does not block all non-WAN networks and then allow any.
Proto Source Port Destination Port Description BLOCK TCP DMZ net * ! WAN address * Block DMZ traffic to all but WAN PASS TCP DMZ net * * * Default DMZ to any
It is probably better (in my case) to list each blocked network explicitly but it can get lengthy!
If memory serves, ipchains (OK, I am dating myself here) had a method of creating an alias which represented one or more networks (back then classes but think CIDR now). Not that I am pining for for the days of ipchains.... ;-)