This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help Understanding Firewall Block Rules

Environment:

test_vm (192.168.0.123)
astaro (192.168.0.1)

Goal: Block incoming traffic from a specific internet IP. For this example, I'm using HTTP traffic to keep it simple, but it could be anything)

If I setup a rule as follows:

source - test_vm
services - http (src_port 1:65535; dest_port: 80)
destination - internet
action - reject

Web browsing is blocked and I can see the page requests being blocked in the firewall log (this is expected).

If I reverse the rule (to block the responses, not the requests)
source - internet
services - http response (src_port 80; dest_port: 1:65535)
destination - test_vm
action - reject

Web browsing is fully functional and the firewall doesn't stop the traffic. This same behavior occurs with other traffic such as DNS reponses as well. Can someone explain to me why this is? As far as I can tell, that rule should block all traffic originating from port 80 to my test_vm.

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 13 years ago

To build on what Hallowach said, create yourself a blackhole DNAT, which would be processed before WAF.

Ordered to top
Source:  IPs you want to block traffic for
Service:  HTTP and/or HTTPS
Destination:  The external interface address that WAF is listening on.

New Destination:  host definition for a non-existent address
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Scott_Klassen over 13 years ago

To build on what Hallowach said, create yourself a blackhole DNAT, which would be processed before WAF.

Ordered to top
Source:  IPs you want to block traffic for
Service:  HTTP and/or HTTPS
Destination:  The external interface address that WAF is listening on.

New Destination:  host definition for a non-existent address
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data