From: I.S.C. W. <wil...@gm...> - 2012-10-24 22:05:32
|
2012/10/24 Simon Hobson <li...@th...> > I.S.C. William wrote: > > >For it is exactly what I want, block all access to the local network > >(loc) to internet (net) and similar as net2loc, that only can select > >that port open. > > > >You say that I need one more rule, I could mention that but I need > >to accomplish this? > > You need to take a step back. It's not enough to talk about blocking > traffic TO a zone, all policies apply to traffic FROM one zone TO > another zone. These zones are the first and second columns of the > policy file. > > I'd suggest you should make a full list of all the zone-zone > combinations like this : > > fw loc > fw net > fw vpn > > loc fw > loc loc > loc net > loc vpn > > net fw > net loc > net vpn > > vpn fw > vpn loc > vpn net > > all all > > I've included loc-loc, that's only needed if you have more than one > network in your loc zone and the firewall is passing traffic between > them. All-all is a 'catch all' for anything not more explicitly > listed. > > Against each combination, decide whether you want to allow traffic > (ACCEPT), or block it (DROP or REJECT). The difference between DROP > and REJECT is that DROP will silently discard the packet, while > REJECT will reply to the packet (an ICMP response I think, but that > could be wrong). > It's common to use REJECT for outbound traffic (any->net, so your > internal clients "fail" quickly rather than doing nothing for a while > and then failing), and DROP for inbound traffic (net->any, so an > attacker just gets no response to probes). > > Once you've decided on the policy, only then do you think about > rules. The POLICY applies to all traffic between the two zones which > isn't mentioned in a RULE, rules apply to specific traffic with more > detailed criteria. > > > If you have an ACCEPT policy, then all traffic is allowed unless you > have a rule which blocks it. Eg, if you generally want outbound > traffic allowed (policy - loc net ACCEPT), but wanted to prevent > SMTP traffic that didn't come from your internal firewall, you might > add the RULEs : > SMTP/ACCEPT loc:<mail server ip> net > SMTP/REJECT loc net > > These rules explicitly allow mail from your mail server (so it's not > caught by the next rule), and then reject anything else. > > > If you have a REJECT or DROP policy, then you'll need rules to allow > all traffic you want to allow. So for the same mail, you'd just need > one RULE : > SMTP/ACCEPT loc:<mail server ip> net > > Excellent explanation ... thank you very much ... Greetings! |