Hi All,
I've been trying to create a rule in DMZ firewall that will allow all incoming connections on given subnet - however, entering IP in CIDR format is throwing an error as below (individual IP works fine). Can you let me know how to fix this? Also, is there a file where we can manually enter DMZ firewall rules (like we do for custom firewall rules in /etc/clearos/firewall.d/custom)?
Thanks
Ruchir
I've been trying to create a rule in DMZ firewall that will allow all incoming connections on given subnet - however, entering IP in CIDR format is throwing an error as below (individual IP works fine). Can you let me know how to fix this? Also, is there a file where we can manually enter DMZ firewall rules (like we do for custom firewall rules in /etc/clearos/firewall.d/custom)?
Thanks
Ruchir
In DMZ
Share this post:
Responses (6)
-
Accepted Answer
All the documentation indicates you should be able to but I can't either. I'll ask the devs when I next speak to them
Note that I believe this bit of the firewall is just for passing a set of public IP addresses from the internet to the LAN and it is a very wasteful way of working. As an example, ig you have 16 IP addresses, you'd need to assign 8 of them externally on your WAN the the other 8 on your LAN. I have seen a document or write up on this somewhere and I'll post back if I find it -
Accepted Answer
Thanks for your update; this firewall just allows incoming traffic to DMZ network (they are disabled by default). We have next-hop setup for subnet on core switch to clearos system. With DMZ setup, there is no LAN involved - public IP is directly assigned to the machine behind clearos; just that you need to allow incoming connections in DMZ incoming firewall. With current setup (allowing just 1 IP per rule), we will need to create 256 rules for a /24 subnet! I can see the rule in iptables but unsure where exactly is this loaded from so that we can make backend update of rule to include entire /24 subnet. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
I've just been speaking to the devs and I'm not sure you going down the right route. You can assign your DMZ subnet in IP Settings. The firewall rule is only needed if you want to run incoming services on a DMZ machine. If a machine in the DMZ was just used for things like web browsing, you would not need a firewall rule. Only if it was running a web server, mail server or some other service accessible from the internet.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »