This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help Understanding Firewall Block Rules

Environment:

test_vm (192.168.0.123)
astaro (192.168.0.1)

Goal: Block incoming traffic from a specific internet IP. For this example, I'm using HTTP traffic to keep it simple, but it could be anything)

If I setup a rule as follows:

source - test_vm
services - http (src_port 1:65535; dest_port: 80)
destination - internet
action - reject

Web browsing is blocked and I can see the page requests being blocked in the firewall log (this is expected).

If I reverse the rule (to block the responses, not the requests)
source - internet
services - http response (src_port 80; dest_port: 1:65535)
destination - test_vm
action - reject

Web browsing is fully functional and the firewall doesn't stop the traffic. This same behavior occurs with other traffic such as DNS reponses as well. Can someone explain to me why this is? As far as I can tell, that rule should block all traffic originating from port 80 to my test_vm.

This thread was automatically locked due to age.

0 BAlfson over 13 years ago

As Scott and Manfred mention, "regular" Firewall rules won't work for what you're trying to do.

Incoming traffic starts out in the INPUT chain. DNATs are the first things considered for traffic in this chain. After that, the hidden rules for VPNs and Proxies apply and, finally, the manual Firewall rules that have the "External (Address)" object in the 'Destination' of the traffic selector.

If a DNAT routes incoming traffic past proxies and VPNs to a device on your LAN, the traffic is in the FORWARD chain, and this is where "regular" firewall rules apply. Similarly, since most traffic coming to your "Internal (Address)" is headed to a DMZ or the Internet, it also is in a FORWARD chain.

The shorthand for all this is the 10-word formulation given by Manfred in post #9 above.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel