(imported comment written by junyoure91)
Jessewk,
I’m using the BF Firewall product. Here’s the XML ruleset: NS2 is the one that isn’t working as expected.
<Rule id=“NS1” zone=“2” priority=“low” dir=“in_out” prot=“tcp_udp” locport="
" remport="
" remaddr="
" app="
" account=“both” desc=“Deny All”>
<Rule id=“NS2” zone=“1” priority=“high” dir=“out” prot=“tcp_udp” locport="
" remport="
" remaddr=“10.32.0.1-10.95.255.255” app="*" account=“both” desc=“Deny access to Local LAN and other 10. Networks”>
<Rule id=“NS3” zone=“1” priority=“high” dir=“in” prot=“tcp_udp” locport=“52311” remport="
" remaddr="
" app="*" account=“both” desc=“BigFix In”>
<Rule id=“NS4” zone=“1” priority=“high” dir=“in_out” prot=“tcp_udp” locport="
" remport="
" remaddr=“127.0.0.1” app="*" account=“both” desc=“Loopback Control”>
<Rule id=“NS5” zone=“1” priority=“high” dir=“out” prot=“tcp” locport="
" remport=“80” remaddr="
" app="*" account=“both” desc=“HTTP out”>
<Rule id=“NS6” zone=“1” priority=“high” dir=“out” prot=“tcp_udp” locport="
" remport=“52311” remaddr="
" app="*" account=“both” desc=“BigFix out”>
<Rule id=“NS7” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“21” remport="
" remaddr="
" app="*" account=“both” desc=“FTP in”>
<Rule id=“NS8” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“22” remport="
" remaddr="
" app="*" account=“both” desc=“SSH in”>
<Rule id=“NS9” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“3000” remport="
" remaddr="
" app="*" account=“both” desc=“some service 1”>
<Rule id=“NS10” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“3001” remport="
" remaddr="
" app="*" account=“both” desc=“some service 2”>
<Rule id=“NS11” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“3389” remport="
" remaddr="
" app="*" account=“both” desc=“RDP in”>
<Rule id=“NS12” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“5402” remport="
" remaddr=“172.19.16.1-172.19.16.254” app="
" account=“both” desc=“some service 3”>
<Rule id=“NS13” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“5402” remport="
" remaddr=“172.19.4.1-172.19.4.254” app="
" account=“both” desc=“some service 3”>
<Rule id=“NS14” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“5402” remport="
" remaddr=“192.168.6.1-192.168.6.255” app="
" account=“both” desc=“some service 3”>
<Rule id=“NS15” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“80” remport="
" remaddr="
" app="*" account=“both” desc=“HTTP in”>
<Rule id=“NS16” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“9002” remport="
" remaddr=“172.19.16.1-172.19.16.254” app="
" account=“both” desc=“some service 4”>
<Rule id=“NS17” zone=“1” priority=“low” dir=“in” prot=“tcp” locport=“9002” remport="
" remaddr=“172.23.24.1-172.23.24.254” app="
" account=“both” desc=“some service 4”>
<Rule id=“NS18” zone=“1” priority=“low” dir=“in_out” prot=“other” prot_num=“2” remaddr="
" app="
" account=“system” desc=“some service 5”>
<Rule id=“NS19” zone=“1” priority=“low” dir=“in_out” prot=“tcp” locport=“5402” remport="
" remaddr=“172.21.75.1-172.21.75.254” app="
" account=“both” desc=“some service 5”>
<Rule id=“NS20” zone=“1” priority=“low” dir=“out” prot=“tcp” locport="
" remport=“21” remaddr="
" app="*" account=“both” desc=“FTP out”>
<Rule id=“NS21” zone=“1” priority=“low” dir=“out” prot=“tcp” locport="
" remport=“3389” remaddr=“172.23.192.22” app="
" account=“both” desc=“RDP to some server”>
<Rule id=“NS22” zone=“1” priority=“low” dir=“out” prot=“tcp” locport="
" remport=“443” remaddr="
" app="*" account=“both” desc=“HTTPS out”>
<Rule id=“NS23” zone=“1” priority=“low” dir=“out” prot=“udp” locport="
" remport=“53” remaddr="
" app="*" account=“both” desc=“DNS out”>
<Rule id=“NS24” zone=“1” priority=“low” dir=“out” prot=“tcp” locport="
" remport=“38080” remaddr=“172.22.192.16-172.22.192.22” app="
" account=“both” desc=“some service for testing”>
<Rule id=“NS25” zone=“1” priority=“low” dir=“in_out” prot=“tcp” locport="
" remport="
" remaddr="
" app="
" account=“both” desc=“Prevent Everything Else”>
A specific example would be a client at IP:10.32.0.50 should not be able to reach any other IP between 10.32.0.1 and 10.95.255.255. NS2 is blocking packets to 10.32.0.63 (the local subnet broadcast), but not to the web interface of the gateway at 10.32.0.1.
thanks.
-Jr.