Re: Firewall settings don't seem to work

Thank you for the reply. I didn't do the exact setup as described in the article, but used it as a basis for a successful configuration. Question: If I'm trying to protect my LAN from the IoT segment, why do I put that ruleset on the switch0/out interace? Intuitively, I would expect to put it on switch0/in because I'm dropping all traffic with a source of my DMZ. Isn't switch0/in where a person would expect rules for traffic inbound to switch0 (not outbound from switch0, as switch0/out would imply)?

Again, I'm new...

Thanks,

-Mark

firewall {
all-ping enable
broadcast-ping disable
group {
network-group DMZ {
description "DMZ"
network 192.168.1.0/24
}
network-group LAN {
description "Local Area Network"
network 192.168.2.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name PROTECT_IOT {
default-action drop
rule 1 {
action accept
description "Accept Established/Related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop LAN traffic"
log disable
protocol all
source {
group {
network-group LAN
}
}
}
}
name PROTECT_LAN {
default-action drop
rule 1 {
action accept
description "Accept Established/Related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 2 {
action drop
description "Drop LAN traffic"
log disable
protocol all
source {
group {
network-group DMZ
}
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}

interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description "Iot Devices"
duplex auto
firewall {
out {
name PROTECT_IOT
}
}
speed auto
}
ethernet eth2 {
description LAN
duplex auto
speed auto
}
ethernet eth3 {
description Unassigned
duplex auto
speed auto
}
ethernet eth4 {
description Printer
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.2.1/24
description Switch
firewall {
out {
name PROTECT_LAN
}
}
mtu 1500
switch-port {
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}