In this example, we look at the rule that is similar to the previous one, but also matches source address. This rule permits access to the mail server inside from mail relay on DMZ and from no other source. Generated rules for iptables and pf are very similar, they just add source address matching. Generated rules for PIX are different because now the program can intelligently pick the right access list and avoid generating redundant rules.
Here is the code generated for iptables from this rule:
# Rule 0 (global) # $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.2.22 -d 192.168.1.100 \ --dport 25 -m state --state NEW -j ACCEPT
Since the source rule element was limited to the host on DMZ, the generated iptables rule is placed only in the FORWARD chain and also matches the source using "-s" clause.
Let's look at the configuration generated for PIX from the same rule:
! Rule 0 (global) ! access-list dmz50_acl_in remark 0 (global) access-list dmz50_acl_in permit tcp host 192.168.2.22 host 192.168.1.100 eq 25 access-group dmz50_acl_in in interface dmz50 access-group inside_acl_in in interface inside access-group outside_acl_in in interface outside
The rule was placed only in the access list attached to the DMZ interface, because packets with source address of the host on DMZ can only cross this interface of the firewall, assuming that spoofed packets are blocked by special rule, which is discuss below.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.