Results 1 to 7 of 7
  1. #1
    Untangler
    Join Date
    Apr 2009
    Posts
    87

    Default controlling traffic between internal networks

    I am in the process of configuring a new Untangle box with 4 interfaces.

    External = Internet [Static Address]
    Internal = WiFi [192.168.81.1]
    DMZ = Webservers [192.168.117.1] to be used in the future
    eth3 = Office Network [192.168.76.1]

    My goal is to block all traffic between internal networks with the following exceptions…

    DNS - FROM all clients on the 81.x network TO select servers on the 76.x network
    HTTP – FROM all clients on the 81.x network TO select servers on the 76.x network
    RDP – FROM all clients on the 81.x network TO select servers on the 76.x network
    HTTP – FROM select clients on the 76.x network TO select clients on the 81.x network

    The above setup will be replacing two separate Untangle routers that are currently in service. I would like to consolidate from 2 routers to 1 for the sake of QOS and potentially using paid apps in the future.

    I have several questions…

    Should I use a combination of bypass rules and packet filtering rules to accomplish my goals, or should I use the firewall app?

    What would be the pros and cons of each?

    Are “established” packets automatically accepted by the Firewall app and Packet filters?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,497

    Default

    Packet Filter is block all by default.
    Firewall is pass all by default.

    All traffic that moves from one interface to another on Untangle is subject to UVM filtration, and will unless otherwise specified by a policy, or excepted via bypass rule, be processed by the default rack and associated applications.

    Use the firewall module for everything you can, it has logs. The UVM only processes TCP and UDP, so that's all the firewall sees. Other protocols (ICMP included) have to be controlled by the packet filter. So don't freak out when you can "ping" something. That doesn't mean you can actually connect and do something.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Apr 2009
    Posts
    87

    Default

    Quote Originally Posted by sky-knight View Post
    Packet Filter is block all by default.
    Could you expand on that?

    Packet Filter doesn't have a filter allowing HTTP, yet the web works by default.
    Is that because HTTP is handled by the UVM?

    Does the Packet Filter only effect traffic that is "Bypassed"?

    I guess I'm a little confused about how the Bypass Rules and the Packet Filter rules interact with each other.

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Packet Filter is pass by default.

    All rules in Untangle match on Sessions, so any packets belonging to an established (accepted) session are automatically allowed.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    some dude hlarsen's Avatar
    Join Date
    Jul 2010
    Location
    sfba
    Posts
    1,384

    Default

    bypass rules keep traffic out of the uvm, however packet filter rules can still block that traffic as it exists outside the uvm.

    http://wiki.untangle.com/index.php/U...e_Bypass_Rules
    http://wiki.untangle.com/index.php/Packet_Filter

  6. #6
    Untangler
    Join Date
    Apr 2009
    Posts
    87

    Default

    Ok, so if I plan on traffic between internal networks being processed by the UVM, and therefore do not use the packet filter or bypass rules, then I would need to control that traffic using the firewall app in the rack, right?

    If so, what would a block rule in the firewall app look like?

    I want to block traffic between the 81, 76 and 117 networks, with the exceptions listed in my first post.
    I would like all networks to have Internet access.

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    You can use either.

    The advantage of firewall rules is that they can work with your policies and advanced criteria.
    The advantage of packet filter rules is they work on all IP traffic (not just tcp & udp) and bypassed traffic.

    Rules are described in depth in the documentation:
    http://wiki.untangle.com/index.php/Firewall#Rules
    http://wiki.untangle.com/index.php/Rules
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2