Block traffic between interfaces?

[deanfourie]

Ok I dont know why this is so hard,

But I am trying to block traffic between 3 LAN interfaces. I have 3 interfaces setup, LAN1, LAN2 and LAN3. From LAN1, I can reach LAN2 and LAN3.

I have created a firewall rule on LAN1 to BLOCK from ANY OUT to LAN2Net and LAN3Net, this did not work. I also created a rule to BLOCK from ANY to single host or network and specified the network 192.168.2.0/24.

This also did not work; rule is positioned above any allow rules.

Any ideas what I am doing wrong here?

[dseven]

"out" means that the rule is evaluated (for the respective interface) when a packet initiating a connection/session is exiting the firewall through that interface. When a host on LAN1 connects to a host on LAN2, the connection enters the firewall ("in") on the LAN1 interface, and exits the firewall ("out") on the LAN2 interface. Filtering is generally done on the inbound interface, for efficiency reasons.

[EricPerl]

Adding new rules when connections are already established is also going to be ineffective.
New rules DO NOT invalidate existing state/sessions.
So be mindful of that when testing.

Block rules are rarely needed. You might want to tailor the rule(s) that allow too much.
For example, if your goal is for LAN to access the internet only (not other LANs), instead of the default allow all, you essentially need 2 rules:
* Allow LAN_net to !rfc1918_addresses (the latter is an alias you create for the 3 ranges defined in that RFC about private networks).
* Allow LAN_net to LAN_address port 53 (to allow DNS to the GW)

And indeed, use in (from the perspective of the FW) rules on the interface originating traffic.