Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: justpie on August 06, 2010, 06:48:19 pm

Title: DMZ using PacketFilter Rules[SOLVED]
Post by: justpie on August 06, 2010, 06:48:19 pm

Hi,

I have been messing around with ebox for a few days now with no success so i figured i would ask someone who may have attempted this.

I am running ebox 1.4-2.

I have 3 network cards, they are configured as follows

eth0 - static - ip address : 192.168.60.1
eth1 - static - ip address : 192.168.100.1
eth2 - DHCP - External WAN.

both eth0 and eth1 have dhcp enabled, and dhcp is working flawlessly.

I would like to do

ALLOW eth0 to INTERNET
ALLOW eth0 to eth1

ALLOW eth1 to INTERNET
DENY    eth1 to eth0

----------------------

I went to the "Filtering rules for internal networks" page and added these rules with no success.

-[allow/deny]-|source IP     |-----|dest  IP|----------|type| ----
   deny            192.168.100.0      192.168.60.0       any
   allow              any                      any                      any

-----

The rules above still allowed me to ping the .60 network from the .100 network. From my understanding the rules should be applied from top to bottom and it should deny anything comring from 100 to 60.

Any help would be appreciated.
Thanks!
  

Title: Re: DMZ using PacketFilter Rules
Post by: justpie on August 08, 2010, 06:34:27 am

It looks like any rule i add to "Filtering rules for internal networks" is not working at all.

I tried to add a rule that does the following

deny : ANY to ANY : ICMP. and i can still ping any host from both networks.

Any suggestions?

Title: Re: DMZ using PacketFilter Rules[SOLVED]
Post by: justpie on August 08, 2010, 06:44:39 am

When i created the firewall rules for the internal networks. I was trying to block the address 192.168.100.0 /32.  I changed the subnet to 24 and it worked fine.