0

Given the following network diagram:

                  internet
                     |
                     |
            +--------+--------+
            |                 |
   dmz2 ----+                 +---- lan
            |                 |
            +--------+--------+
                     |
                     |
                    dmz1

internet: 0.0.0.0/0
dmz1:     192.168.10.0/24
dmz2:     192.168.20.0/24
lan:      192.168.30.0/24

I would like to add a rule to allow traffic from all interfaces to the internet. LAN should additionally be able to access DMZ1 and DMZ2. I can of course use something like:

dmz1:
ACCEPT dst != 192.168.0.0/16

dmz2:
ACCEPT dst != 192.168.0.0/16

lan:
ACCEPT always

However, in case we add later a third dmz in 10.0.0.0/8 the rules break. Is there a way to add a robust rule that matches on the internet interface?

Georg Schölly
  • 260
  • 3
  • 13

1 Answers1

1

You could make an alias INTERNAL_NET and add the network 192.168.0.0/16 to it. Use the alias in your rules. Then, as needs change in the future, you can always add the new networks to the alias without having to change the rules.

CB_Ron
  • 313
  • 2
  • 10
  • Thank you for your answer. This seems to be the standard way of dealing with it. However, most people add all private IP ranges to `INTERNAL_NET`. – Georg Schölly Jul 20 '20 at 06:45