This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

newbie question - how to create a internet "link"

i have a 3  interfaces (Intern, Extern, DMZ) configuration. the gateway (router adress) is set @ the external interface. i thought that i can now use the external interface like it would be the connection to the internet, so for example:

Internal (Network)    FTP    External(Network) allow.

but this doesn't wok. if i do it like this:

Internal (Network)    FTP    Any allow

it works.

i did this @ the NAT Rules:

masq_int_to_ext   Internal (Network) -> All / All MASQ__External   None

my second question: with 3 interfaces, do i have 3 firewall adresses? [ Intern(Adress), Extern(Adress), DMZ(Adress) ] if i dont want to allow the Service IDENT from DMZ to the Firewall, do i have to do that lilke this:

Dmz (Network)  IDENT  Dmz (Address) reject

?

i am already getting frustrated, would be very happy if smb. can help me. [:)]

This thread was automatically locked due to age.

Parents

0 SecApp over 21 years ago

That will stop IDENT going to that particular address...

As for the first (implied) question, the rules are based on destination networks, not interfaces (yet??).
Cancel
Vote Up 0 Vote Down

Cancel
0 seburu over 21 years ago in reply to SecApp

>> to that particular address

and that particular adress is the firewall, isnt't it? (what else should it be? [:)]th shorewall yet)

>> based on destination networks, not interfaces

to each interface it automatically generates the networks. (Extern - Extern (Network) (Broadcast) (Adress))

but i can not use the Extern(Network) like it would be the connection to the internet. do i have to create a additional Network for the internet??
Cancel
Vote Up 0 Vote Down

Cancel
0 seburu over 21 years ago in reply to seburu

ok the adresses for the firewall is no problem any longer.

how can i allow to let somthing pass through the firewall to the internet but not to the f.e. dmz? (allow all)

i do not understand how
Cancel
Vote Up 0 Vote Down

Cancel
0 PenTest over 21 years ago in reply to seburu

you need two rules

Deny Service to DMZ
Allow Service to Any

in that order
Cancel
Vote Up 0 Vote Down

Cancel
0 seburu over 21 years ago in reply to PenTest

so if i want to allow x to the internet but i have 30 networks and a few servers i dont want to allow x, i have to create 31 rules? [:)]
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 seburu over 21 years ago in reply to PenTest

so if i want to allow x to the internet but i have 30 networks and a few servers i dont want to allow x, i have to create 31 rules? [:)]
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 PenTest over 21 years ago in reply to seburu

nah that is what groups are for. you can create a group you cover all DMZ's etc and use that in a single rule.

It seems like an annoying way to do it but thats how virtually all firewalls work. Even though Astaro simplifies alot for you firewalling and especially firewall rulesets are complicated beasts.

there was some dicussion on Astaro using an interface as a definition but i would not expect that any time soon if ever.
Cancel
Vote Up 0 Vote Down

Cancel
0 seburu over 21 years ago in reply to PenTest

ah, ok.

with shorewall i could do this with a zone net...
Cancel
Vote Up 0 Vote Down

Cancel