Firewall - Policy High

[cit]

Hi,

I am having issues configuring the firewall with the policy set to "high" and I wanted to know if anyone else is having the same problem or if I am doing something wrong.

I want to control which IPs can access which services on outbound connections (inbound connections are all configured and working fine). Basically I want to limit outbound SMTP access to only the mail server (192.168.101.1) as well as allow outbound http, https, ftp etc for all IPs on the lan.

Below are the scenarios I have tested and the resulting outcome (all with policy set to high).

Scenario 1
___Outgoing Traffic
______SMTP Allowed 192.168.101.1
___Allowed IP List
______empty
___Blocked IP List
______empty
___*Result*
______ok SMTP access for 192.168.101.1
______no SMTP access for 192.168.101.84
This is ok as expected

Scenario 2
___Outgoing Traffic
______SMTP Allowed 192.168.101.1
______HTTP Allowed Any
___Allowed IP List
______empty
___Blocked IP List
______empty
___*Result*
______ok SMTP access for 192.168.101.1
______no SMTP access for 192.168.101.84
______no HTTP access for 192.168.101.1
______no HTTP access for 192.168.101.84
this is confusing as I allowed http for any IP

Scenario 3
___Outgoing Traffic
______SMTP Allowed 192.168.101.1
______HTTP Allowed Any
___Allowed IP List
______All Allowed 192.168.101.0/24
___Blocked IP List
______empty
___*Result*
______ok SMTP access for 192.168.101.1
______ok SMTP access for 192.168.101.84
______ok HTTP access for 192.168.101.1
______ok HTTP access for 192.168.101.84
I wanted to allow SMTP only for 192.168.101.1 but now all IPs have access.

Scenario 4
___Outgoing Traffic
______SMTP Allowed 192.168.101.1
______HTTP Allowed Any
___Allowed IP List
______All Allowed 192.168.101.1
___Blocked IP List
______empty
___*Result*
______ok SMTP access for 192.168.101.1
______no SMTP access for 192.168.101.84
______ok HTTP access for 192.168.101.1
______ok HTTP access for 192.168.101.84
This is the result I wanted the but previous results are confusing

Scenario 5 (same as scenario 2)
___Outgoing Traffic
______SMTP Allowed 192.168.101.1
______HTTP Allowed Any
___Allowed IP List
______empty
___Blocked IP List
______empty
___*Result*
______ok SMTP access for 192.168.101.1
______no SMTP access for 192.168.101.84
______no HTTP access for 192.168.101.1
______no HTTP access for 192.168.101.84
Why does removing the entry in allowed IPs entry affect the HTTP access for all other IPs

Scenario 6
___Outgoing Traffic
______SMTP Allowed 192.168.101.1
______HTTP Allowed Any
___Allowed IP List
______All Allowed 192.168.101.105 (any other random IP)
___Blocked IP List
______empty
___*Result*
______ok SMTP access for 192.168.101.1
______no SMTP access for 192.168.101.84
______ok HTTP access for 192.168.101.1
______ok HTTP access for 192.168.101.84
again this is the result I wanted but it seems an IP (any IP) must be in the Allowed IPs list however irrelevant.


Sorry for the long winded post, I figured out how to get the result I wanted from scenario 4 (or 6), it seems that a rule must be specified in the allowed IPs otherwise access is blocked for services that specify "Any IP" for the outbound service (even if the IP in the allowed IPs list is different from the accessing device). I just thought this was a bit counter-intuitive (and might be a bug).

[ashotar]

Hi cit,

Let me know your LAN and WAN subnets. As far as I understood 192.168.101.0/24 is your WAN subnet, then what subnet is your LAN? Additional, I want to add, that outbound restriction is only for LAN side, it means that if you add outbound rule with eg 192.168.101.15 IP address as a restriction, which is in WAN side of Quadro, your rule will not works, vice-versa, if it IP from LAN side, the rule will works correct.

Thanks,
Ashot.

[cit]

sorry I should have explained the networking setup

no the LAN side is 192.168.101.0/24
Quadro is in PPoE mode connected to bridge mode modem

your right the rule should work, but it didn't.