Results 1 to 3 of 3

Thread: Firewall - Policy High

  1. #1

    Default Firewall - Policy High

    Hi,

    I am having issues configuring the firewall with the policy set to "high" and I wanted to know if anyone else is having the same problem or if I am doing something wrong.

    I want to control which IPs can access which services on outbound connections (inbound connections are all configured and working fine). Basically I want to limit outbound SMTP access to only the mail server (192.168.101.1) as well as allow outbound http, https, ftp etc for all IPs on the lan.

    Below are the scenarios I have tested and the resulting outcome (all with policy set to high).

    Scenario 1
    ___Outgoing Traffic
    ______SMTP Allowed 192.168.101.1
    ___Allowed IP List
    ______empty
    ___Blocked IP List
    ______empty
    ___*Result*
    ______ok SMTP access for 192.168.101.1
    ______no SMTP access for 192.168.101.84
    This is ok as expected

    Scenario 2
    ___Outgoing Traffic
    ______SMTP Allowed 192.168.101.1
    ______HTTP Allowed Any
    ___Allowed IP List
    ______empty
    ___Blocked IP List
    ______empty
    ___*Result*
    ______ok SMTP access for 192.168.101.1
    ______no SMTP access for 192.168.101.84
    ______no HTTP access for 192.168.101.1
    ______no HTTP access for 192.168.101.84
    this is confusing as I allowed http for any IP

    Scenario 3
    ___Outgoing Traffic
    ______SMTP Allowed 192.168.101.1
    ______HTTP Allowed Any
    ___Allowed IP List
    ______All Allowed 192.168.101.0/24
    ___Blocked IP List
    ______empty
    ___*Result*
    ______ok SMTP access for 192.168.101.1
    ______ok SMTP access for 192.168.101.84
    ______ok HTTP access for 192.168.101.1
    ______ok HTTP access for 192.168.101.84
    I wanted to allow SMTP only for 192.168.101.1 but now all IPs have access.

    Scenario 4
    ___Outgoing Traffic
    ______SMTP Allowed 192.168.101.1
    ______HTTP Allowed Any
    ___Allowed IP List
    ______All Allowed 192.168.101.1
    ___Blocked IP List
    ______empty
    ___*Result*
    ______ok SMTP access for 192.168.101.1
    ______no SMTP access for 192.168.101.84
    ______ok HTTP access for 192.168.101.1
    ______ok HTTP access for 192.168.101.84
    This is the result I wanted the but previous results are confusing

    Scenario 5 (same as scenario 2)
    ___Outgoing Traffic
    ______SMTP Allowed 192.168.101.1
    ______HTTP Allowed Any
    ___Allowed IP List
    ______empty
    ___Blocked IP List
    ______empty
    ___*Result*
    ______ok SMTP access for 192.168.101.1
    ______no SMTP access for 192.168.101.84
    ______no HTTP access for 192.168.101.1
    ______no HTTP access for 192.168.101.84
    Why does removing the entry in allowed IPs entry affect the HTTP access for all other IPs

    Scenario 6
    ___Outgoing Traffic
    ______SMTP Allowed 192.168.101.1
    ______HTTP Allowed Any
    ___Allowed IP List
    ______All Allowed 192.168.101.105 (any other random IP)
    ___Blocked IP List
    ______empty
    ___*Result*
    ______ok SMTP access for 192.168.101.1
    ______no SMTP access for 192.168.101.84
    ______ok HTTP access for 192.168.101.1
    ______ok HTTP access for 192.168.101.84
    again this is the result I wanted but it seems an IP (any IP) must be in the Allowed IPs list however irrelevant.


    Sorry for the long winded post, I figured out how to get the result I wanted from scenario 4 (or 6), it seems that a rule must be specified in the allowed IPs otherwise access is blocked for services that specify "Any IP" for the outbound service (even if the IP in the allowed IPs list is different from the accessing device). I just thought this was a bit counter-intuitive (and might be a bug).

  2. #2

    Default

    Hi cit,

    Let me know your LAN and WAN subnets. As far as I understood 192.168.101.0/24 is your WAN subnet, then what subnet is your LAN? Additional, I want to add, that outbound restriction is only for LAN side, it means that if you add outbound rule with eg 192.168.101.15 IP address as a restriction, which is in WAN side of Quadro, your rule will not works, vice-versa, if it IP from LAN side, the rule will works correct.

    Thanks,
    Ashot.

  3. #3

    Default

    sorry I should have explained the networking setup

    no the LAN side is 192.168.101.0/24
    Quadro is in PPoE mode connected to bridge mode modem

    your right the rule should work, but it didn't.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. High Sync, low speed
    By rebble85 in forum 'How Do I' Questions
    Replies: 4
    Last Post: 05-08-2010, 02:17 AM
  2. Language Pack policy
    By htcom in forum Suggestions and Feedback
    Replies: 4
    Last Post: 04-24-2010, 02:31 AM
  3. Firewall issue
    By Legassick in forum Troubleshooting and Problems
    Replies: 5
    Last Post: 11-17-2009, 01:13 PM
  4. Quadro Firewall
    By cit in forum 'How Do I' Questions
    Replies: 4
    Last Post: 09-17-2009, 10:25 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •