Results 1 to 6 of 6
  1. #1
    Newbie
    Join Date
    Jan 2019
    Posts
    4

    Default Firewalling DMZ - what am I doing wrong??

    Build: 14.1.1.20190116T123153.589f15d47c-1stretch
    Kernel: 4.9.0-7-untangle-amd64

    I have created a DMZ out of a third interface (named DMZ) and want to restrict access to specific addresses and ports from the DMZ. I've noticed that without any rules included the DMZ appears to be treated just like the internal interface, unrestricted.
    In the Firewall app I created a new rule:
    Block DMZ to Internal: Source Interface => DMZ, Destination Interface => Internal, Protocol => everything checked, Action Type => Block, Flag

    With this rule in place the device in the DMZ can still ping through to devices on the internal interface. So I created another rule:
    Block DMZ Subnet to Internal: Source Address => 192.168.2.0/24, Destination Address => 192.168.10.0/24, Protocol => everything checked, Action Type => Block, Flag

    Still neither of these blocks DMZ access to Internal. Pings always get through.

    I even looked at the idea of treating the DMZ interface like a WAN interface but it wouldn't allow me to configure it that way without a gateway.
    Suggestions?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,620

    Default

    Is the "DMZ" interface addressed or Bridged? If Bridged, bridged to which interface?

    Firewall App blocks at layer 7, if you want to block ping, that needs to be a layer 3 so use network filter rules. /admin/index.do#config/network/filter-rules

    interface-config.png
    Last edited by jcoffin; 01-25-2019 at 03:57 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,174

    Default

    Ahh yes, another new Untangle user caught in the fine print...

    Untangle's UVM, the magic box that all the applications run in, only processes UDP and TCP. That means the firewall app let's ICMP (Ping) though 100% of the time. You cannot use ping to test those rules! Which honestly, is a pretty terrible test if you think about it.

    If you want to control ICMP, you must use filter rules, config -> networking -> filter. Beware, there isn't nearly as much logging on those, and they can cause some difficult to troubleshoot issues.
    Last edited by sky-knight; 01-25-2019 at 04:05 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    687

    Default

    telnet on the port that was explicitly opened is my usual starting point for testing rules. For many reasons ping isn't a good test - unless you are specifically testing an ICMP rule of course.

  5. #5
    Newbie
    Join Date
    Jan 2019
    Posts
    4

    Default

    It's addressed.

    And as far as Layer 7 and fine print... why does 'Firewall' have a check box for ICMP if it doesn't do anything? That's a bit misleading isn't it? It's also where the confusion is coming in.
    lszalontai likes this.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,174

    Default

    Quote Originally Posted by WolfR1der View Post
    It's addressed.

    And as far as Layer 7 and fine print... why does 'Firewall' have a check box for ICMP if it doesn't do anything? That's a bit misleading isn't it? It's also where the confusion is coming in.
    What the mother of... yes I see that, that is NOT supposed to be there. Congrats, you found your first bug!

    You can test this yourself, make a rule in the firewall that controls ICMP, ping... and ping will still work.
    Duplicate that rule in the filter config -> networking -> filter... and ICMP will be blocked.

    Again the entire rack only handles TCP and UDP, this impacts all applications in it, no ICMP packet will ever make it to the firewall module to be inspected.
    Last edited by sky-knight; 01-28-2019 at 09:21 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2