This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall - observations on use of "ANY" destination versus "INTERFACE" destination.

I am creating from scratch a new astaro which has 5 nics -1 External and 4 internal networks (Internal1, Internal2, ...)  I have devices that are located on Internal1 that I want to be able to connect to External but not any of the other Internal networks.

This is part complaint and part asking if there is a different way to accomplish what I am doing.

I've noticed some inconsistency in the way the firewall rules operate.  I've noticed a pattern of situations where rules will and will not work when the destination address is a INTERFACE and not "ANY."

If your source is a HOST with a specific IP, you can designate an INTERFACE as the destination and the rule works as expected.  The HOST can access that specific interface.  The HOST will not be able to access the other interfaces.  However, if the source is an INTERFACE, the rule will only work if the destination is ANY and not a specific INTERFACE.

Examples:

HOST (ip address on Internal1) > ANY > External > Allow

This works and HOST can access External. HOST will not be able to access any other Internal networks (Internal2, Internal3 or Internal4)

However, this does not work:

Internal1 >  ANY > External > Allow

Devices on Internal1 will not connect to External.

In order to get that the equivalent of the above rule to work, I have to create four rules::

Internal1 > ANY > Internal2 > Drop
Internal1 > ANY > Internal3 > Drop
Internal1 > ANY > Internal4 > Drop
Internal1 > ANY > External > Allow

This will work and devices on Internal1 will connect to External and not be able to connect to any of the other internal devices.
This seems to complicate the Rule set (many more rules and you have to put specific exceptions to access an internal network before the Drop rule for that internal network).

Am I making this more complicated than necessary.  I don't think NAT rules would work.  Is this just the way astaro works.  Thanks for input.

(I've been playing around with a virtual install of yvatta.  It appears to be cisco ios based.  Like, astaro, by default all access is denied.  Only 2 rules would be needed in yvatta.  One for outbound access and one for inbound access.)

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 12 years ago

The external interface object is not the same as the internet (0.0.0.0). It is quite literal and means that External (WAN) (Address) would only allow access to the IP address assigned to that interface.

If what you are trying to achieve is for your internal lan clients to be able to reach resources that you host internally based on FQDNs that only resolve to external IP Addresses on your Astaro (which are then forwarded by DNATs), you will either need to configure split-brain DNS or use Full NATs.
Cancel
Vote Up 0 Vote Down

Cancel
0 rayik over 12 years ago in reply to Scott_Klassen

I'm sorry for not being more clear.  I am now in front of the astaro gui and can see I was not precise in my earlier posts.

In all my examples above EXTERNAL is "External (Internet)"
It is not "External (Address)" which is simply the astaro assigned ip address to that NIC.

To be clear:

NAT is:

Internal1 (Network) > External (WAN)
Internal2 (Network) > External (WAN)
Internal3 (Network) > External (WAN)
Internal4 (Network) > External (WAN)

Firewall Rules:

Internal1 (Network) > ANY > External (Network) > ALLOW - does not work.  Traffic is not passed.

Host1 (actual IP address) > ANY > External (Network) > ALLOW - does work.  Traffic passes for that host.

Thus to set up what I am calling global rules of allowing Internal1 (Network) to access External (WAN) without being able to access any of the other Internal networks, the rules must be (and in this order):

Internal1 (Network) > ANY > Internal2 (Network) > DROP
Internal1 (Network) > ANY > Internal3 (Network) > DROP
Internal1 (Network) > ANY > Internal4 (Network) > DROP
Internal1 (Network) > ANY > ANY > ALLOW

I don't know why this way with less rules does not work:

Internal1 (Network) > ANY > External (Network) > ALLOW (does pass traffic)

The 2nd way would be much simpler and the rule set would be easier to create when you want to have exceptions for specific HOSTS on Internal1 to be able to access other Internal networks
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rayik over 12 years ago in reply to Scott_Klassen

I'm sorry for not being more clear.  I am now in front of the astaro gui and can see I was not precise in my earlier posts.

In all my examples above EXTERNAL is "External (Internet)"
It is not "External (Address)" which is simply the astaro assigned ip address to that NIC.

To be clear:

NAT is:

Internal1 (Network) > External (WAN)
Internal2 (Network) > External (WAN)
Internal3 (Network) > External (WAN)
Internal4 (Network) > External (WAN)

Firewall Rules:

Internal1 (Network) > ANY > External (Network) > ALLOW - does not work.  Traffic is not passed.

Host1 (actual IP address) > ANY > External (Network) > ALLOW - does work.  Traffic passes for that host.

Thus to set up what I am calling global rules of allowing Internal1 (Network) to access External (WAN) without being able to access any of the other Internal networks, the rules must be (and in this order):

Internal1 (Network) > ANY > Internal2 (Network) > DROP
Internal1 (Network) > ANY > Internal3 (Network) > DROP
Internal1 (Network) > ANY > Internal4 (Network) > DROP
Internal1 (Network) > ANY > ANY > ALLOW

I don't know why this way with less rules does not work:

Internal1 (Network) > ANY > External (Network) > ALLOW (does pass traffic)

The 2nd way would be much simpler and the rule set would be easier to create when you want to have exceptions for specific HOSTS on Internal1 to be able to access other Internal networks
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data