Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Negate

It just does a reverse of what it would be normally.

you create a rule that allows

src = DMZ net
dst = Internal Network (Negate)
srv = http
action = Allow

This permits the DMZ to HTTP to the Internet what having to define 2 rules.

One that would BOCK DMZ to HTTP to the Internal Network and the other to PERMIT DMZ to HTTP to ANY.

It is quite common to see a group defined that contains all of the internal and dmz networks and then negate that group in the destination column to allow internet access.

This therefore allows access to anywhere but the networks group.

The negate can also be on the service:

src = DMZ net
dst = Internal Network (Negate)
srv = Negate DNS, Ping Telnet
action = Allow

This allows DMZ to do any service except ping and dns queries anywhere except to internal networks

Can't explain any simpler then this

6 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        DARN can't edit! Obviously I meant to say :

        This permits the DMZ to HTTP to the Internet without having to define 2 rules

      Feedback and Knowledge Base