controlling traffic between internal networks

[coreybrett]

I am in the process of configuring a new Untangle box with 4 interfaces.

External = Internet [Static Address]
Internal = WiFi [192.168.81.1]
DMZ = Webservers [192.168.117.1] to be used in the future
eth3 = Office Network [192.168.76.1]

My goal is to block all traffic between internal networks with the following exceptions…

DNS - FROM all clients on the 81.x network TO select servers on the 76.x network
HTTP – FROM all clients on the 81.x network TO select servers on the 76.x network
RDP – FROM all clients on the 81.x network TO select servers on the 76.x network
HTTP – FROM select clients on the 76.x network TO select clients on the 81.x network

The above setup will be replacing two separate Untangle routers that are currently in service. I would like to consolidate from 2 routers to 1 for the sake of QOS and potentially using paid apps in the future.

I have several questions…

Should I use a combination of bypass rules and packet filtering rules to accomplish my goals, or should I use the firewall app?

What would be the pros and cons of each?

Are “established” packets automatically accepted by the Firewall app and Packet filters?

[sky-knight]

Packet Filter is block all by default.
Firewall is pass all by default.

All traffic that moves from one interface to another on Untangle is subject to UVM filtration, and will unless otherwise specified by a policy, or excepted via bypass rule, be processed by the default rack and associated applications.

Use the firewall module for everything you can, it has logs. The UVM only processes TCP and UDP, so that's all the firewall sees. Other protocols (ICMP included) have to be controlled by the packet filter. So don't freak out when you can "ping" something. That doesn't mean you can actually connect and do something.

[coreybrett]

Packet Filter is block all by default.

Could you expand on that?

Packet Filter doesn't have a filter allowing HTTP, yet the web works by default.
Is that because HTTP is handled by the UVM?

Does the Packet Filter only effect traffic that is "Bypassed"?

I guess I'm a little confused about how the Bypass Rules and the Packet Filter rules interact with each other.

[dmorris]

Packet Filter is pass by default.

All rules in Untangle match on Sessions, so any packets belonging to an established (accepted) session are automatically allowed.

[hlarsen]

bypass rules keep traffic out of the uvm, however packet filter rules can still block that traffic as it exists outside the uvm.

http://wiki.untangle.com/index.php/U...e_Bypass_Rules
http://wiki.untangle.com/index.php/Packet_Filter

[coreybrett]

Ok, so if I plan on traffic between internal networks being processed by the UVM, and therefore do not use the packet filter or bypass rules, then I would need to control that traffic using the firewall app in the rack, right?

If so, what would a block rule in the firewall app look like?

I want to block traffic between the 81, 76 and 117 networks, with the exceptions listed in my first post.
I would like all networks to have Internet access.

[dmorris]

You can use either.

The advantage of firewall rules is that they can work with your policies and advanced criteria.
The advantage of packet filter rules is they work on all IP traffic (not just tcp & udp) and bypassed traffic.

Rules are described in depth in the documentation:
http://wiki.untangle.com/index.php/Firewall#Rules
http://wiki.untangle.com/index.php/Rules