Author Topic: DMZ using PacketFilter Rules[SOLVED]  (Read 2251 times)

justpie

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
DMZ using PacketFilter Rules[SOLVED]
« on: August 06, 2010, 06:48:19 pm »
Hi,

I have been messing around with ebox for a few days now with no success so i figured i would ask someone who may have attempted this.

I am running ebox 1.4-2.

I have 3 network cards, they are configured as follows

eth0 - static - ip address : 192.168.60.1
eth1 - static - ip address : 192.168.100.1
eth2 - DHCP - External WAN.

both eth0 and eth1 have dhcp enabled, and dhcp is working flawlessly.

I would like to do

ALLOW eth0 to INTERNET
ALLOW eth0 to eth1

ALLOW eth1 to INTERNET
DENY    eth1 to eth0

----------------------

I went to the "Filtering rules for internal networks" page and added these rules with no success.

-[allow/deny]-|source IP     |-----|dest  IP|----------|type| ----
   deny            192.168.100.0      192.168.60.0       any
   allow              any                      any                      any

-----

The rules above still allowed me to ping the .60 network from the .100 network. From my understanding the rules should be applied from top to bottom and it should deny anything comring from 100 to 60.

Any help would be appreciated.
Thanks!
  

« Last Edit: August 08, 2010, 06:43:28 am by justpie »

justpie

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: DMZ using PacketFilter Rules
« Reply #1 on: August 08, 2010, 06:34:27 am »
It looks like any rule i add to "Filtering rules for internal networks" is not working at all.

I tried to add a rule that does the following

deny : ANY to ANY : ICMP. and i can still ping any host from both networks.

Any suggestions?

justpie

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: DMZ using PacketFilter Rules[SOLVED]
« Reply #2 on: August 08, 2010, 06:44:39 am »
When i created the firewall rules for the internal networks. I was trying to block the address 192.168.100.0 /32.  I changed the subnet to 24 and it worked fine.