Given the following network diagram:
internet
|
|
+--------+--------+
| |
dmz2 ----+ +---- lan
| |
+--------+--------+
|
|
dmz1
internet: 0.0.0.0/0
dmz1: 192.168.10.0/24
dmz2: 192.168.20.0/24
lan: 192.168.30.0/24
I would like to add a rule to allow traffic from all interfaces to the internet. LAN should additionally be able to access DMZ1 and DMZ2. I can of course use something like:
dmz1: ACCEPT dst != 192.168.0.0/16 dmz2: ACCEPT dst != 192.168.0.0/16 lan: ACCEPT always
However, in case we add later a third dmz in 10.0.0.0/8 the rules break. Is there a way to add a robust rule that matches on the internet interface?
You could make an alias INTERNAL_NET and add the network 192.168.0.0/16 to it. Use the alias in your rules. Then, as needs change in the future, you can always add the new networks to the alias without having to change the rules.