Firewall rules to allow a single IP to a single IP in a blocked subnet

HarryCarter
Conversationalist

Firewall rules to allow a single IP to a single IP in a blocked subnet

Hi,

 

I have an IP range that I block all local LAN from, so I had set up rules 9 and 10 below which have been working fine, denying all of my internal ranges and then allowing anything else. However, I have a situation where I need to allow a couple of IPs which are fixed to access certain IPs within the blocked subnets. So I set up rule 8 which allows 10.4.26.41 and 10.4.31.245 to access 172.16.11.18 the rule 9 below then denies the subnet 172.16.11.0/24 so that might be why its counteracting it. 

 

 

image.png

 

Does anyone know the correct way to apply a configuration like this in order to suit my requirements?

 

Thank you in advance.

3 Replies 3
Nash
Kind of a big deal

Access control lists work like filtering potatoes: the potato goes through the first "hole" in the ACL that it fits through. If your traffic hits an allow that it meets the conditions for, it'll go through that "hole" before it hits the deny rule.

 

But potatoes only go one direction. ACLs send traffic back and forth.

 

Solution: Add a new rule after rule 8 to permit the traffic back from the 172.16.11 IPs to the 10.4.26 IPs. You need to have mirror rules.

HarryCarter
Conversationalist

Thanks, Nash for the fast response. 

 

Does that also mean I will need to mirror my deny rules to block everything both ways or is the deny rule 10 doing its job?

 

Thanks in advance

Nash
Kind of a big deal

To me, it's a best practice to create mirror rules by default. Otherwise the unblocked side can try to initiate some traffic, and I don't like that.

Get notified when there are additional replies to this discussion.