TO-External firewall applied to external interface?

dave08 · April 27, 2022, 3:10pm

Hello!
On one of my VyOs I have a simple setup with NAT, some blocked outgoing traffic and 2 interfaces: eth0 external, eth1 internal.
Today I just noticed that I apply my “TO-EXTERNAL” firewall rules to eth0 (the external or “RED” interface).
I don’t remember if this was the only way I could achieve this, but now I’m thinking I am allowing for undesired traffic to jump from internal to external interface just before blocking it.
Should I apply this “To-External” firewall rule on the internal interface instead?
Thanks and regards.

n.fort · April 28, 2022, 5:40pm

If you want to filter traffic from your LAN (behind eth1) to internet, it would be better to apply firewall rules on your LAN eth1 interface.

dave08 · May 17, 2022, 2:10pm

Hello. So today I came across this situation. I had to block an external website from a lab which had full external web access so far. This time I’ve created a simple “TO-External” firewall set of out rules directly on my eth1 internal interface. No success.
As soon as I set this firewall to eth0 (public IP interface), the website is blocked and all others work as intended.
What am I missing here? I guess I’ve tried this setup in the early days and found that I could only make this work when applying “firewall out” to external interfaces and kept doing this until now.
thanks!

Interface:

ethernet eth0 {
address my.public.address
duplex auto
firewall {
local {
name TO-ROUTER
}
out {
name TO-EXTERNAL
}
}

Firewall:
name TO-EXTERNAL {
default-action accept
description “…”
rule 10 {
action drop
description “blocks phishing site”
destination {
address phishing.ip.address
}
}
}
This setup works. Applying this firewall to Eth1 (internal network) doesn’t. I’m guessing it should also be type “out”, right?

dave08 · May 18, 2022, 8:32am

OK, so I guess I understand now. Being the eth1 the internal interface, I had to set the firewall as “in”, as the packets are getting into it. Anyway, I don’t think that the performance would be much affected from the previous setup, eth0 external interfacem firewall out.
Thanks

Can’t mark it as solved.

system · May 22, 2022, 11:09am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.