Blocking specific ORANGE hosts from getting internet access?

HI All,

firewall release 156 in use here.

I have in my DMZ, a VMWare farm and 4 CCTV cameras

I have created a CCTV camera group

x.x.x.200 (camera 1)
x.x.x.203 (camera 4)

I create a firewall rule:

from host network group CCTV-CAMS
[NAT disabled]
to standard networks RED
Protocol ALL
Action DROP
Log rule
Rule position 1

I apply the change
I reboot IPfire in case there is floating persistent connection

I go back into the logs 5 minutes later - cameras still trying to UDP call their Chinese / US motherships in the FWFORWARD table not resulting in a DROP

is this because the default rule for the DMZ is ORANGE->RED = open ?

is it actually possible to deny specific DMZ hosts internet access ?

And if yes, what am I doing wrong please ?

Many thanks


I have an old firewall rule (not currently used) that is set-up very similar. The difference is the network group. I use Source address (MAC/IP address or network)

To experiment (testing only) try blocking one one IP address instead of a group.

Another separate experiment (testing only) would be to change the Destination from RED to Any.