Firewall/NAT

Hello,

There's actually a web server hosted on the DMZ interface. I would like to temporarily restrict the access to that zone from the WAN side.
Does anyone know how to proceed ?
I tried to add a rule on the WAN interface to restrict all kind of traffic coming from WAN interface in destination of DMZ interface. But it doesn't work. I think this is related to the fact I'm using NAT to match the 80 port to the web server. It means, for me, that even there's a rule which restrict WAN traffic going to DMZ, the NAT is applied first.

Actually, I simply deleted the NAT rule. That works but is unsafe for me.

Thanks for your help,

Adding full blocking rule should work however You must respect the order of rules, in Your case i beleive You should pull up the blocking rule on the list.

Yes, I correctly put the rule on the top of all and applied the changes. But nothing.... 

This should be pretty simple: Disable the firewall rule that allows packets to your server in DMZ from WAN (e.g. the WAN "tab") temporarily.

Everything else that isn't explicitly allowed will be blocked anyway.

Hello,

Here are some of the rules actually applied :
NAT
If    Proto    Ext. port range    NAT IP    Int. port range    Description
WAN    TCP    80 (HTTP)    192.168.32.2    80 (HTTP)    Web server

Firewall - WAN interface
Proto    Source    Port    Destination    Port    Description
TCP    WAN address    *    DMZ net    * --> Reject

That rule is the first one just below the default Block private networks rule.
I applied the same rule on the DMZ interface and it still doesn't work. Any reason ??

Thanks,

Any idea ?
I feel very unsafe at this moment and that doesn't make me comfortable :-S

I think this is related to the fact I'm using NAT to match the 80 port to the web server. It means, for me, that even there's a rule which restrict WAN traffic going to DMZ, the NAT is applied first.

This premise is incorrect. Both a NAT rule and a matching firewall rule that allows access are required for a host on an internal interface to be reached from the WAN. Not one or the other, but both.

Without seeing your entire rules set it's not possible to diagnose your problem. As rules are applied in sequence, you may have the correct rule but not in the correct place.

Post screenshots of your NATs and WAN interface Firewall Rules.

Hello,

OK I found it. In fact, the first rule blocks the traffic coming from WAN address to DMZ (-> firewall_rules_blocks_to_DMZ.png).
Then, below, there's another rule which allows traffic from everywhere to DMZ.

My understanding is that the WAN interface doesn't include Internet addresses but only the subnet between my router (CE) and my carrier's router (PE). That's why it could still allows Internet traffic because it wasn't included into the WAN subnet.

Sorry if I made you wasting your time ... 

Hope this can help anybody else in the same situation. And thank you for your help 

 

Anyway, you've found the solution for your problem.

Yes, I did finally.
But are my thoughts corrects ? I just would like to be sure about how it works really...

Thanks,