> I am stuck with a request from a client. A FreeBSD box, with 3 nic's > appears as: > > [internet]----/FreeBSD/------>[lan 192.168.1.2] > ^ > |------>[dmz 192.168.10.2] > > dmz receiv (and replies) requests for dns/sendmail/apache either from > internet or from the lan thru the FreeBSD box. What is needed: all and > ANY packet originated from dmz and destinated to lan must be denyied > (drop/reject). The intent is that, even if a bad-boy goes to dmz the > firewall still will refuse connection originated from this > (compromised) box to the internal lan. > > I am using ipfilter for this setup. > > note: even changing rules a lot, I am unable to do this. Then I just > tryied to 'block everything for that machine': > > :=== begin > block in quick from any to 192.168.1.89 > block out quick from any to 192.168.1.89 > block in quick from 192.168.1.89 to any > :=but nmap (from dmz) still shows open ports 22 and 53 on these > machine. > > How to effectively BLOCK every packet from dmz to internal lan?? :o(
maybe something like this: block out on <lan interface> from 192.168.10.0/24 to 192.168.1.0/24 ---------- or you can do the reverse, and block the traffic INBOUND on the DMZ interface with a destination of LAN.... cheers, --truman _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
