> On Jun 26, 2017, at 5:27 PM, Jeppe Øland <jol...@gmail.com> wrote: > > Well, at least that matches what I found: That I can't get connections to > the internet working without allowing everything else too. > > That seems like a pretty bad design... It would be much better to be able > to allow something to just the WAN interface... > > On Mon, Jun 26, 2017 at 11:26 AM, Jim Spaloss <jspal...@gmail.com> wrote: > >> The rule(s) that allow internet access are the "Allow to Any" rule(s). This >> could be accomplished as one rule on a floating or interface group ruleset. >> (Allow any from any to any). >> >> The trick is to block the things that you don't want the DMZ to have access >> to first. I also use an alias to keep the DMZs from talking to each other. >> >> If you want, I could post some screenshots of my config.
You can allow something to just the WAN interface. It’s just that the WAN interface is not the internet. There is really nothing different here from any stateful firewall made. If this is a vote, I would record that I pretty much despise passing traffic to ! RFC1918. I would much rather see Block to RFC1918 then Pass any. I have reasons. First of which is don’t block traffic with a pass rule. Block undesired traffic with a block rule. Reasons. I like jspal...@gmail.com's solution. If you take something like 172.29.128.0/18 and assign your DMZ interfaces out of that, you can block them all with one rule. >> >> >> On Jun 26, 2017 9:32 AM, "Jeppe Øland" <jol...@gmail.com> wrote: >> >>> The thing is I couldn't figure out what rules are needed to get out to >> the >>> Internet! >>> >>> If I add no rules at all, then the PC can get a DHCP address, but it >> can't >>> even ping pfSense. >>> >>> I tried adding several rules (simultaneously), but didn't find anything >> to >>> allow me out to the Internet. >>> >>> Simply adding a "DMZnet -> WANnet" rule did not let me get out. >>> Adding the firewall specifically (since that is the GW it will go >> through) >>> did not help either. >>> (I tried a few more things in desperation, but nothing changed) >>> >>> Obviously the "DMZnet -> !LANnet" worked, but that doesn't block off all >>> the other DMZs :-( >>> >>> Regards, >>> -Jeppe >>> >>> >>> On Sun, Jun 25, 2017 at 8:28 PM, Leandro de la Paz <lean...@jovenclub.cu >>> >>> wrote: >>> >>>> Hi, it should be simple. pfsense deny all the traffic in the absence of >>>> any rules so it should be blocking all communication between DMZs by >>>> default. To allow the traffic to reach Internet, all you need to do is >>>> create a rule that permit the traffic that goes everywhere except to an >>>> alias that contains the private network (RFC1918) subnets. I recommend >> it >>>> that you do it at the floating rules tab, that way you may select >> several >>>> interfaces in one rule. However, you still may need to edit the rule >>> every >>>> time that new DMZ is added. >>>> >>>> --- >>>> Regards, >>>> Leandro >>>> >>>> En 25 jun. 2017 4:04 p. m., en 4:04 p. m., "Jeppe Øland" < >>> jol...@gmail.com> >>>> escribió: >>>>> Does anybody know how to do this more easily. >>>>> >>>>> Lets say I have 10 different isolated DMZs. >>>>> (They are created as VLANs on the "inside" interface so I can connect >>>>> servers to them). >>>>> >>>>> Now I want each VLAN to be able to get an IP address from a DHCP pool, >>>>> and >>>>> to hit the Internet. >>>>> Nothing else. >>>>> No DMZ<->DMZ or DMZ->LAN traffic. >>>>> >>>>> The default LAN rules allow me to hit each DMZ from the LAN, so that >>>>> part >>>>> is good. >>>>> The problem is getting each DMZ isolated from each other. >>>>> >>>>> The only thing I have working is to create 10 rules on each DMZ (to >>>>> block >>>>> access to the other DMZs and the LAN), and an accept "any" rule to be >>>>> able >>>>> to get out. >>>>> >>>>> I really don't like this as it's error prone. >>>>> If I add a new DMZ, I have to remember to add that rule to all the >>>>> others. >>>>> >>>>> Is there an easy set of rules I can make to allow the DMZ access to >>>>> only >>>>> its own net, and the Internet? >>>>> >>>>> Regards, >>>>> -Jeppe >>>>> _______________________________________________ >>>>> pfSense mailing list >>>>> https://lists.pfsense.org/mailman/listinfo/list >>>>> Support the project with Gold! https://pfsense.org/gold >>>> _______________________________________________ >>>> pfSense mailing list >>>> https://lists.pfsense.org/mailman/listinfo/list >>>> Support the project with Gold! https://pfsense.org/gold >>>> >>> _______________________________________________ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >> _______________________________________________ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
