firewall doesn’t work – whats wrong with my config ?

Home Page Forums Network Management Firewall, Traffic Shaping and Net Balancer firewall doesn’t work – whats wrong with my config ?

This topic contains 11 replies, has 0 voices, and was last updated by  network007steve 4 years, 3 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #44147

    hello guys,

    somehow I have the feeling that the firewall does not work… ❓ ❓

    here is my config:

    here the network config: – do not get confused, usually a lan cable is connected to ETH01

    default gateway:

    NAT:

    DHCP:

    routing:

    for a test i want to block all traffic from the public LAN (192.168.2.0/24) to ETH00 – but doesn’t block – whats wrong in my concept?

    many thx for helping. πŸ˜‰ ❗

    #53610

    redfive
    Participant

    Input(1) and output(2) chains refer to traffic destinated(1) and generated(2) to/by the firewall itself, if you want to deny the traffic forwarding among interfaces, you have to work on Forward chain (even though few rules on input chain are still necessary for security reasons).
    A simple example, assuming you want to allow traffic from lan behind ZS (ETH01) to everything beyond ZS (so, the web as well as the network between ZS and the web).
    input chain (default policy DROP)

    1 	ETH00 	* 	ACCEPT all opt -- in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
    2 ETH01 * ACCEPT all opt -- in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

    forward chain (default policy DROP)

    1 	ETH00 	ETH01 	ACCEPT all opt -- in ETH00 out ETH01 0.0.0.0/0 -> 192.168.2.0/24 state RELATED,ESTABLISHED
    2 ETH01 ETH00 ACCEPT all opt -- in ETH01 out ETH00 192.168.2.0/24 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

    If instead your main network is the 192.168.1.0/24, and you want manage ZS from this network, and you also want allow web access from ETH01 while denying access to the network 192.168.1.0/24
    input chain (default policy DROP)

    1 	ETH00 	* 	ACCEPT all opt -- in ETH00 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
    2 ETH01 * ACCEPT all opt -- in ETH01 out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

    forward chain (default policy DROP)

    1 	ETH00 	ETH01 	ACCEPT all opt -- in ETH00 out ETH01 0.0.0.0/0 -> 192.168.2.0/24 state NEW,RELATED,ESTABLISHED
    2 ETH01 ETH00 DROP all opt -- in ETH01 out ETH00 0.0.0.0/0 -> 192.168.1.0/24
    2 ETH01 ETH00 ACCEPT all opt -- in ETH01 out ETH00 192.168.2.0/24 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

    You may want to declare the management interface, this can be done on Setup, Web and SSH.
    Remember to declare one or more DNS server in DNS, Forwarders, and in the dhcp-pool also declare the ZS as dns server (the same ip address as the def.gw)

    Obviously, this is only a sample, but you can do everything you want with iptables…
    Compliments for your network description !
    Regards

    #53611

    @redfive wrote:

    If instead your main network is the 192.168.1.0/24, and you want manage ZS from this network, and you also want allow web access from ETH01 while denying access to the network 192.168.1.0/24

    input chain (default policy DROP)

    forward chain (default policy DROP)


    1 ETH00 ETH01 ACCEPT all opt -- in ETH00 out ETH01 0.0.0.0/0 -> 192.168.2.0/24 state NEW,RELATED,ESTABLISHED
    2 ETH01 ETH00 DROP all opt -- in ETH01 out ETH00 0.0.0.0/0 -> 192.168.1.0/24
    2 ETH01 ETH00 ACCEPT all opt -- in ETH01 out ETH00 192.168.2.0/24 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

    many thx for your answer and your good explanation.

    this is exactly what i want – as described in your post:

    web access from ETH01 and
    deny the network 192.168.1.0/24 on ETH00

    i have the rule defined in the chain FORWARD – policy DROP:

    but never works. the effect is that i have web access from ETH01 AND reach the network 192.168.1.0/24 also… 😯

    grrr πŸ˜€ ❗

    #53612

    redfive
    Participant

    3rd rule must be 2nd, while 2nd must be 3rd
    Regards

    #53613

    ahh, ok the order is deciding

    T H X

    it works so perfect πŸ˜€ πŸ˜€ ❗

    #53614

    and how can i block the management interface (192.168.2.75) from the network 192.168.2./24 on ETH01 ❓

    #53615

    redfive
    Participant

    and how can i block the management interface (192.168.2.75) from the network 192.168.2./24 on ETH01

    …….

    You may want to declare the management interface, this can be done on Setup, Web and SSH.

    Regards

    #53616

    Web and SSH

    OK, well done…

    but from 192.168.2.0/24 i can access to 192.168.2.75 (management ZS) πŸ™„

    #53617

    redfive
    Participant

    Uncheck ‘Auto-authorize LAN’, if checked, from all LANs will be granted access to web management iface, do the same for SSH (if enabled).
    Regards

    #53618

    @redfive wrote:

    Uncheck ‘Auto-authorize LAN’

    it works perfect – many thx

    one other question:

    how can i block my access-point ip (192.168.2.254, ETH01) from 192.168.2.0/24 (ETH01)

    #53619

    redfive
    Participant

    Isn’t feasible, but not because a ZS’s bug ….if a client is associated to one AP, once it got the ip address, this clients is able to communicate with every client in the same network/broadcast domain without passing through ZS, they can ‘talk’ to each other directly at L2….
    You’d have to use the Vlans (so the management network would be on one vlan, while ‘Guests’ network would be on another vlan) or, at least APs which support L2 isolation or ‘client isolation’.
    Regards

    #53620

    how exactly do I do that I have not yet clear – because I’ll have to experiment a bit with vlans, I think ❓ πŸ™„ 😯

    #53621

    redfive
    Participant

    Obviously, you need at least a vlan capable access point, otherwise …. πŸ˜‰
    Greetings

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.