ACL to block traffic between Ethernet ports on router?

dan.tesch · ‎07-31-2007

I noticed by accident that some (not all) traffic is passing between my DMZ and LAN ports. I would have thought that a router would not forward traffic from one port to another w/o a rule specifically allowing this.

What would be the rule I would want to apply to block everything (I have a different firewall allowing required traffic) would it just be deny ip subnet subnet any? would I apply that to the DMZ interface out or the LAN interface in?

Richard Burts · ‎07-31-2007

Dan

There are parts of your post that I do not understand well but I have some comments that I believe address your concerns. If my comments do not resolve it then perhaps you can clarify some things and we can get to a resolution.

First I would comment on this in your post:

"I would have thought that a router would not forward traffic from one port to another w/o a rule specifically allowing this"

The basic operating principle of the router is that if traffic is received on one interface and the router knows how to forward toward the destination then the router will forward on the best path toward the destination. There is no need for any rule to allow this, and if there is some traffic which you want the router to not forward then you need to configure rules (access lists) to prevent it.

If you do not want these two subnets to talk to each other through the router then you need access lists configured to deny this traffic and to permit other traffic. You probably could manage to do this with one access list, but my suggestion would be to write two access lists. I would suggest placing an access list inbound on each of the interfaces to deny traffic to the other subnet and to permit other traffic.

HTH

Rick

HTH

Rick