This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to implement a DMZ and allow outbound traffic to any IP

Consider the this simplified scenario with a LAN and a DMZ. 

  • The LAN must be able to access the DMZ
  • The DMZ must be able to access anything on the internet
  • The DMZ must not be able to access the LAN (except for whatever well crafted rules)

My LAN and DMZ have masquerade rules setup so internet requests go out to the WAN. I'm tripped up on the rules allowing the DMZ to access any IP, but not in the LAN. 

  • A rule allowing requests from the LAN to the DMZ works
  • A rule allowing the DMZ to access to any IP allows it access to not only the Internet but the LAN!
  • Creating either an "inbound" rule on the LAN blocking traffic from the DMZ, or vice versa an "outbound" rule disallowing access from the DMZ to the LAN blocks related or established traffic: so when the LAN makes a TCP request to the DMZ, the DMZ's SYN/ACK gets dropped.

I come from Linux knowing iptables quite well where defining the ingress and egress interfaces on a rule would fix this or where I could craft a rule allowing established or related traffic and this wouldn't be a problem. I feel like there's a trick I'm missing, but I've been looking all over and can't see one other than to craft explicit rules for every outbound connection. What's your advice?



This thread was automatically locked due to age.
Parents
  • Hi,

    Src: DMZ Network, Services: Any, Destination: Internetv4 Object.

    Don't use  Webproxy on DMZ Net.

    VG

  • Just to add to Peters comment on the "Internet IPv4" object.

    Basically it means anything that is a target that is not a local interface subnet or part of the routing table and is destined for the 0.0.0.0/0 default route.

    Which in 90% of configurations is the Internet.

    Failing that, you can make a private address range block target for DMZ sources like below if you don't trust it:

    Src: DMZ subnet

    Service: Any

    Target:

    -Class A addressing range 10.0.0.0/8

    -Class B addressing range 172.16.0.0/12

    -Class C addressing range 193.168.0.0/16

    Make sure the rule is above your DMZ to any rule.

    Or you could do a DMZ  source to internal LAN network objects block and place it above the dmz to any rule, either will work.

    Emile

Reply
  • Just to add to Peters comment on the "Internet IPv4" object.

    Basically it means anything that is a target that is not a local interface subnet or part of the routing table and is destined for the 0.0.0.0/0 default route.

    Which in 90% of configurations is the Internet.

    Failing that, you can make a private address range block target for DMZ sources like below if you don't trust it:

    Src: DMZ subnet

    Service: Any

    Target:

    -Class A addressing range 10.0.0.0/8

    -Class B addressing range 172.16.0.0/12

    -Class C addressing range 193.168.0.0/16

    Make sure the rule is above your DMZ to any rule.

    Or you could do a DMZ  source to internal LAN network objects block and place it above the dmz to any rule, either will work.

    Emile

Children
  • Oh! Thank you both! "Any IPv4 Internet" is a network object that defines the interface allowed. I can't believe I overlooked that. 

  • Hey Victor - welcome to the UTM Community!

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you for your reply. I've got my setup pretty good now, so I won't need your document.