This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Basic firewall rule question

Excuse me if this is a dumb question, I somehow manage not to know the answer.

Do the firewalling rule apply to the destination address or destination interface ?

To clarify: If I have one (or more) internal subnets (known to Astaro as static routes), do I have to define packet filter rules for these subnets as well or will the rules from the interface that will route them apply ?

To give an exemple:

Internal network: 10.0.0.0/24
Internal network card: 10.0.0.1
Additional network 10.0.1.0/24
route for above net: 10.0.1.0/24 -> 10.0.0.254
(there is a router on 10.0.0.254 that has 10.0.1.0/24 as llocal on one of it's interfaces)

If I want, for instance, to allow port 80 access from 10.0.1.32, do I have to add a packet filter exception to:
10.0.0.0/24 ?
10.0.0.254/32 ?
10.0.1.0/24 ?
All of them ?
none of them (then what) ?

TIA

This thread was automatically locked due to age.

0 SecApp over 21 years ago

There are no dumb questions, just dumb answers.

Hoping mine doesn't fall into that category, it primarily does it based on destination (and/or source) address.

Interface rules would be a welcome enhancement, but no word from Astaro yet as to when we might see that.

P.S. For Drop rules with an Any Destination, the Destination has to be the Firewall Interface instead. This is due to the Linus firewall architecture going on under the hood. It should be remedied. Was this fixed in 5? I'm not at a box right now to tell you...

As to your example: I don't see you needing an interface rule (but maybe I'm not following what you want to accomplish).

How about:

From: 10.0.1.0/24
Service: HTTP
To: Any
Allow

Or if you want just that machine to have HTTP access (as opposed to the entire LAN that Astaro's interface 'talks' to):

From: 10.0.1.32/32
Service: HTTP
To: Any
Allow

??
Cancel
Vote Up 0 Vote Down

Cancel