RE: Allow external access to webserver from set IP(s) only

Bill Brewster — Sat, 20 Jul 2019 19:55:22 GMT

Thanks so much Douglas. I was actually in the process of replying to my own post saying I should have read the Rulz because that explained the stacking order for filtering of which firewall rules are last after proxies hah!

I was setting up a DNAT to a blackhole then bypassing that for allowed IPs when you replied which made me grin as I would have taken forever to find that little checkbox on the site path route tab. Thanks again for saving me considerable time and explaining it to me :).

RE: Allow external access to webserver from set IP(s) only

DouglasFoster — Sat, 20 Jul 2019 19:42:48 GMT

Yes, you can restrict by user, by IP address, or both.

To restrict by source IP

Site Path Routing... Edit one of the paths...

Check the box for "Access Control". Two list boxes will appear, one for Allowed Networks and one for Denied Networks. Define your Allowed Networks and click [Save]

This allows you to have different restrictions for different parts of the website, but it also means that you need to configure each applicable Site Path Route.

To restrict by user

Define a Reverse Protection rule and apply it to the Site Path Route(s).

On architecture, you have experienced the normal new-user surprise. UTM is a series of mutually-exclusive packet filters. "Firewall Rules" is the packet filter of last resort, which is invoked only when the packet bypasses all of the more sophisticated filtering tools. UTM is also not directional. It only knows "inside" and "outside" based on the rules that you create. The WiKi section has several articles that address information needed by new users, but which is not in the manuals. Also look for the post titled "Rulz", which has important information, including the hierarchy of events in packet processing.

UTM takes a different kind of thinking than with other firewalls, but it works after you understand the architecture.