I'm curious about something. I have a utm vm guest on esx. Each nic on the vm is connected to a vswitch and each vswitch has separate physical adapters. The utm vm has an interface in external, dmz and inside. Inside is 192.168.0.0/24 and the dmz is 172.16.210.0/24. I have the firewall rules setup so that the inside can access the dmz, but not vica versa. This is working as intended for the most part. I just noticed now that the dmz host can access the webadmin using the inside address: 192.168.0.2:443 I was surprised, but quickly thought that it must be a setting in the webadmin. Sure enough, I changed the webadmin settings so that only the internal network can access the webadmin. That stopped the dmz host being able to use the webadmin on either the inside addr or the dmz address: 172.16.210.2 Ok, all good.
What I find odd is that the dmz host can still ping the inside address of the utm (192.168.0.2). From a routing point of view this makes sense. 192.168.0.0/24 is a directly connected network to the utm, as is 172.16.210.0,so naturally, firewall aside, it would respond. But I thought I had it so that traffic from dmz to internal is blocked. And it is for anything other than this small scenario. I did a port scan on the dmz host and if I target 192.168.0.2 in the tool, I see 443 is open also. And, indeed, I can do a socket connection on 443. And, as mentioned, I can ping 192.168.0.2 as well.
I created a rule that drops all traffic from the dmz host to the inside interface of the utm, but that did not seem to make any difference. What am I missing?
This thread was automatically locked due to age.
