Post by mrice on Jul 21, 2017 12:31:56 GMT
I have some 3 questions, as to how Smallwall works:
[1]
WHY is it that Smallwall has no explicit 'the internet' (='Any Public WAN IP')
as Destination 'type' ? Is there a way to restrict traffic from LAN/OPT1 to
'the internet' only?
I will explain:
Smallwall firewall Rules has several Destination 'types' to choose from:
(Any, Single host, Network, LAN Subnet, OPT1 Subnet, WAN Address..)
If we want to allow LAN/OPT1 devices to access 'the internet'(='Any Public WAN IP')
we are forced to choose either 'Any' or !LAN(='Any Except LAN' inverted selection)
We can NOT use 'WAN' as this is the *single* public IP we get from our ISP.
(Our WAN interface is set to PPPoE, and retrieves a *single* public IP from ISP)
I ask this because choosing 'Any' or !LAN allows OPT1 for example access not
only 'the internet', but also OPT2 interface as well.
Is it possible to express 'the internet' (='Any Public WAN IP') in Destination
'type' using a certain 'Network' expression? (eg, all except 10/8, 172.16/12, 192.168/16)
[2]
How come devices on OPT1 respond to incoming traffic (=PortForwarded to them
from WAN) despite EXPLICIT BLOCK rule on OPT1 to block any outgoing traffic
from OPT1!
Is it true that allowed PortForwarded traffic takes precedence over any BLOCK
rules?
[3]
Is it possible / How can I BLOCK devices on LAN interface from accessing
Smallwall admin login webpage?
Many Thanks!
[1]
WHY is it that Smallwall has no explicit 'the internet' (='Any Public WAN IP')
as Destination 'type' ? Is there a way to restrict traffic from LAN/OPT1 to
'the internet' only?
I will explain:
Smallwall firewall Rules has several Destination 'types' to choose from:
(Any, Single host, Network, LAN Subnet, OPT1 Subnet, WAN Address..)
If we want to allow LAN/OPT1 devices to access 'the internet'(='Any Public WAN IP')
we are forced to choose either 'Any' or !LAN(='Any Except LAN' inverted selection)
We can NOT use 'WAN' as this is the *single* public IP we get from our ISP.
(Our WAN interface is set to PPPoE, and retrieves a *single* public IP from ISP)
I ask this because choosing 'Any' or !LAN allows OPT1 for example access not
only 'the internet', but also OPT2 interface as well.
Is it possible to express 'the internet' (='Any Public WAN IP') in Destination
'type' using a certain 'Network' expression? (eg, all except 10/8, 172.16/12, 192.168/16)
[2]
How come devices on OPT1 respond to incoming traffic (=PortForwarded to them
from WAN) despite EXPLICIT BLOCK rule on OPT1 to block any outgoing traffic
from OPT1!
Is it true that allowed PortForwarded traffic takes precedence over any BLOCK
rules?
[3]
Is it possible / How can I BLOCK devices on LAN interface from accessing
Smallwall admin login webpage?
Many Thanks!
I think most of the answer is that I simply do not like abstracted labels. "The Internet" has little meaning, but "WAN IP" has exact and distinct meaning. Also, opt1 can be multinetted, or can change. But 192.168.44.1/24 is exact. The functionality to alias things is there so you can abstract if you want to, but personally, I like the real information.