1

I have configured an AWS Firewall in our testing account, pretty much following the standard setup procedure as documented by AWS. From our private subnet, outbound traffic heading to the internet is directed towards the firewall subnet, where we have another route table directing traffic through the firewall and out to the NAT gateway. The NAT gateway exists in the public subnet and within that subnet there is a route that permits outbound traffic to the internet out via the internet gateway. Within the firewall, the stateless default rule for all packets is to direct them to the stateful rule groups. There are no other stateless rule groups. As for the stateful rule groups, there is one domain list rule group supposedly allowing traffic to ".google.com". The default rule is set to drop established connections.

Here is the problem I am facing, whenever I enable the default rule of "drop established" it continues to permit all traffic through the firewall. It doesn't appear to actually take any effect nor drop any traffic to other domains. Does anyone have any experience with this?

Thomas Langston
  • 11

1 Answers1

0

I realise this is an old question but I spent the day with the exact same issue.

In my case I had missed the return route from the public subnet configuration.

Whilst I had 0.0.0.0/0 route sent to the internet gateway, the VPC CIDR range was still set to local so the the return traffic did not go back through the firewall. I presume that's when it drops the packet.

The fix was to update the route table and set the VPC CIDR block route to the firewall rather than local.

tl;dr; make sure your route table sends traffic both ways through the firewall.

bgs264
  • 119