I am creating from scratch a new astaro which has 5 nics -1 External and 4 internal networks (Internal1, Internal2, ...) I have devices that are located on Internal1 that I want to be able to connect to External but not any of the other Internal networks.
This is part complaint and part asking if there is a different way to accomplish what I am doing.
I've noticed some inconsistency in the way the firewall rules operate. I've noticed a pattern of situations where rules will and will not work when the destination address is a INTERFACE and not "ANY."
If your source is a HOST with a specific IP, you can designate an INTERFACE as the destination and the rule works as expected. The HOST can access that specific interface. The HOST will not be able to access the other interfaces. However, if the source is an INTERFACE, the rule will only work if the destination is ANY and not a specific INTERFACE.
Examples:
HOST (ip address on Internal1) > ANY > External > Allow
This works and HOST can access External. HOST will not be able to access any other Internal networks (Internal2, Internal3 or Internal4)
However, this does not work:
Internal1 > ANY > External > Allow
Devices on Internal1 will not connect to External.
In order to get that the equivalent of the above rule to work, I have to create four rules::
Internal1 > ANY > Internal2 > Drop
Internal1 > ANY > Internal3 > Drop
Internal1 > ANY > Internal4 > Drop
Internal1 > ANY > External > Allow
This will work and devices on Internal1 will connect to External and not be able to connect to any of the other internal devices.
This seems to complicate the Rule set (many more rules and you have to put specific exceptions to access an internal network before the Drop rule for that internal network).
Am I making this more complicated than necessary. I don't think NAT rules would work. Is this just the way astaro works. Thanks for input.
(I've been playing around with a virtual install of yvatta. It appears to be cisco ios based. Like, astaro, by default all access is denied. Only 2 rules would be needed in yvatta. One for outbound access and one for inbound access.)
This is part complaint and part asking if there is a different way to accomplish what I am doing.
I've noticed some inconsistency in the way the firewall rules operate. I've noticed a pattern of situations where rules will and will not work when the destination address is a INTERFACE and not "ANY."
If your source is a HOST with a specific IP, you can designate an INTERFACE as the destination and the rule works as expected. The HOST can access that specific interface. The HOST will not be able to access the other interfaces. However, if the source is an INTERFACE, the rule will only work if the destination is ANY and not a specific INTERFACE.
Examples:
HOST (ip address on Internal1) > ANY > External > Allow
This works and HOST can access External. HOST will not be able to access any other Internal networks (Internal2, Internal3 or Internal4)
However, this does not work:
Internal1 > ANY > External > Allow
Devices on Internal1 will not connect to External.
In order to get that the equivalent of the above rule to work, I have to create four rules::
Internal1 > ANY > Internal2 > Drop
Internal1 > ANY > Internal3 > Drop
Internal1 > ANY > Internal4 > Drop
Internal1 > ANY > External > Allow
This will work and devices on Internal1 will connect to External and not be able to connect to any of the other internal devices.
This seems to complicate the Rule set (many more rules and you have to put specific exceptions to access an internal network before the Drop rule for that internal network).
Am I making this more complicated than necessary. I don't think NAT rules would work. Is this just the way astaro works. Thanks for input.
(I've been playing around with a virtual install of yvatta. It appears to be cisco ios based. Like, astaro, by default all access is denied. Only 2 rules would be needed in yvatta. One for outbound access and one for inbound access.)