I have update our Blue Access Wiki page to enter a tutorial on how to block access to the WUI, by creating a rule using the Firewall WUI. Having tested this myself, I believe it is not true anymore that the blocking rule has to be entered only using firewall.local script. Several people have already noticed it and there have been few discussions in the community about this point.
In case I am terribly wrong and did a poor job testing this, please verify that the modified wiki page is conforming with reality. I appreciate the effort and thank you in advance.
As far as I’m concerned you also need to deny traffic from the BLUE-network to the GREEN-firewall-interface because access to the firewall-interfaces (no matter what network) is not prohibited from local networks, even if there is no pinhole from BLUE to GREEN network.
You also may consider denying traffic on port 22, 222 or whereever SSH is on.
Most secure way would be to deny ALL traffic to the firewall interfaces, except for port 53 (DNS) and 123 (NTP) and maybe other (depending on what services you use) and allow “full access” only to specific devices, which are meant for management. =)
are you sure about that? Never tested this, but I assumed you can’t access the whole network including the firewall interface. I will check this later. In any case, this can be easily fixed.