Author Topic: Firewall rules to allow internet access but deny comunication between clients.  (Read 3194 times)

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
For quite some time I've been willing to isolate some subnets or better called network objects.
Say I have some users in object A and some in object B. I made rules in the firewall packet filter to allow those object access to the internet and to services on Zentyal.
Currently it's a simple destination - any / service - any per network object. 

I have assigned the network objects their own subnet. Users all have IP/MAC binding. But the problem is, Zentyal is internally routing between subnets. So users in object A can print on the printer in object B.
I would like to avoid that. In other words, it should be a little more difficult to access users/computers on a different subnet.
How can I adjust the firewall rules so that those object still can use the Internet and the Zentyal services, but without being able to see each other?

Cheers.
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

c4rdinal

  • Zen Samurai
  • ****
  • Posts: 341
  • Karma: +4/-0
    • View Profile
You can accomplish this easily using VLAN.

HTH

christian

  • Guest
hum... wording really matters here  ;)
If devices (not users because unless there is some authentication, firewall is not aware of any user) are on subnets connected to Zentyal using different interfaces, then you can simply manages rules at firewall level because communication between devices from different subnets will go through firewall.
Otherwise, as c4rdinal wrote, you have to implement VLAN. Easier to write it than implementing  ;) but not too difficult too assuming you have switches supporting this feature.

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
Well the firewall works with network objects, these network objects contain several macs/ip's.
So that's correct Christian, please ignore the user part  :)
I'm aware of that 48-port vlan switch that is so desperately needed, but I'm afraid that it won't be possible to get one soon.
Otherwise it would be, like c4rdinal says, relatively easy to solve. I had my eyes on a Dlink DES-3052.

I have at the moment four interfaces and a bunch of virtual interfaces. How would such a rule look like? Sorry, I haven't got a clue.
If vlan is the only alternative then I'd better have a chat with some folks here  ;D 

Cheers.
 
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

robb

  • Guest
The low cost solution could be to get a second simple, unmanaged switch that connects to another NIC in Zentyal. So you create your 'VLAN' by introducing another physical switch instead of a virtual switch in an expensive switch with VLAN capabilities.
An extra server NIC costs about 25 euro and an unmanaged 16 or 24 port switch is already available from 75 Euro.
Alternatively, you could look for a 2nd hand professional switch.

christian

  • Guest
The low cost solution could be to get a second simple, unmanaged switch that connects to another NIC in Zentyal. .../...

This is exactly what I meant with use of additional interface and associated firewall rule  ;D

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Quote
I have assigned the network objects their own subnet. Users all have IP/MAC binding. But the problem is, Zentyal is internally routing between subnets. So users in object A can print on the printer in object B.
I would like to avoid that. In other words, it should be a little more difficult to access users/computers on a different subnet.

Put rules in 'Internal network rules'  that drops all traffic from A to B and vice-versa. Of course this requires that Zentyal si the only route between A and B.

christian

  • Guest
For what I understand, all devices are currently on same network... reason why it doesn't work  ;)

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Then, as you have already say, VLANs is the solution to the problem.

Marcus

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 395
  • Karma: +12/-0
    • View Profile
    • Professional IT Service
Hello everyone,

Well, on my end, I'm preventing different users from seeing some other users using the firewall. 
(Zentyal >> Firewall >> Packet filter >> Filtering rules for internal networks)

This way, I'm preventing my son and neighbourhood from getting access to private (but not properly secured) stuff hosted on other neighbours computers.

Still, the VLAN aproach would probably be more easy/fast to setup/configure.

Best,

Marcus

christian

  • Guest
Marcus,

this works only in your son, neighbourhood and private server are on different networks, otherwise they can still see each other directly without passing through firewall.
In order to benefit from firewall, one have either to set up different physical LAN (one per interface) or to set up VLAN.

Marcus

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 395
  • Karma: +12/-0
    • View Profile
    • Professional IT Service
You are right christian, each part of my network got their own NIC and switch so all of them or forced to go through the firewall.

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
I'm exited! That's a lot of help form all of you, thanks!
Time to let you know how it worked out.

A vlan capable switch would be the best option but we simply can't afford one right now. Even second hand switches are expensive and hard to find. Probably because of the location.
It would need to have 4 GB ports because of some large transfers and 10/100 is just too slow.

I chose robb's low cost solution in combination with the rules Javier proposed, and similar to what Marcus posted.
I have now implemented this on two subnets using separate interfaces and two switches, the very first rule in "firewall>packet filter>Filtering rules for internal networks" is:
Quote
Decision Deny - source 192.168.0.0/16 - destination 192.168.0.0/16 - service ! camaras - description deny subnets
Using a 16 bit subnet mask does kill all communication except for the "camaras" service, those are security cameras and they need to be available to everyone.   
There is one minor issue however, I'm using transparent proxy so everything running on port 80 would still be accessible by everyone, as this appears of course to be coming from localhost.
To solve that I moved the management interfaces of the routers on "HTTPS" protocol, after that the firewall blocked them also.
One remaining web interface is a network printer without https option. That can be solved by using a strong password.

There is still some space in the server for additional network cards, but they would have to be PCI-E x1. I've seen some of those cards having up to 4 network ports, but if they are costly a vlan switch would still be the best option.
 
Cheers.
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...