"Destination Address" rule causes traffic to be blocked

[johndball]

Thanks for the explanation, oldtimer!

I'll give it a whirl tomorrow. I made some changes to the SAS drives and reinstalled 9.1 again. I'll post a screenshot when I'm done.

[johndball]

It's working now. Thanks friend!

[Mathiau]

has untangle considered doing what pfsense has in auto creating a Firewall rule when a nat rule is created?

[sky-knight]

Why? By default the Firewall is a default pass. There is no need for a firewall rule.

If you want to default block, then you need to take responsibility for that decision and manage your own rules. Autoconfigured security polices aren't "secure".

Besides, it won't be too much longer and we all should be on v6. I'm thinking years here obviously, as dev time works in months. And once v6 is everywhere, NAT is no longer in the picture, and such a feature would be a waste of time.

Logically, I can't see how it makes sense for Untangle to do such a thing. PFSense does so because it's firewall is default block, and usability required an "easy" way to get port forwards to work. If you want UT to be in easy mode, don't use firewall.

[dmorris]

Quote:

Originally Posted by Mathiau

has untangle considered doing what pfsense has in auto creating a Firewall rule when a nat rule is created?

Its not that simple. Which firewall in which rack? All of them? Should the rule be put at the top where it overrides critical rules? At the bottom where it probably won't match? A random location it the middle?

The only reasonable approach would be to add a setting to firewall to "Automatically pass all port forwarded sessions." But I'm loathed to add a new setting because the problem with settings is that people change them.

[Mathiau]

true, UT is far more complex, and i do agree, even on our PFsense boxes i got, i have done an auto rule and i go back and end up editing it anyways in the end.

with IPv6 i still dont like the idea of not having a private subnet anymore, sure there will be devices to keep old ipv4 network alive and kicking... but i think more of security, of having every device on a public IP, would be more of a nightmare for security... in some sense.\

But i also havent been keeping up on ipv6 news either.

[sky-knight]

Not really, all you need is a stateful firewall and a rule that drops all inbound sessions by default.

*Poof* a v6 firewall with all public addresses protected by the same layer of security provided by a default NAT box. Except now instead of doing port forward rules and possibly a firewall rule, it's just a single firewall rule to pass traffic.

v6 makes things so simple on that level.

[Mathiau]

good to know, i really do need to start reading up on ipv6 again before it comes and smacks me in the face, but for how slow costa rica is to adopt things, probably be sometime before we can ever get IP6 addresses from our ISP.