Is it all IPs associated with each interface?
If I have an IoT network and I have a firewall rule set to block any to "This firewall" does that have downsides I need to workaround?
this firewall are all addresses assigned to your firewall. You can check them in firewall/diagnostics/pfTables. There should be two autogenerated aliases: one for IPv4 and one for IPv4.
As long as your IoT network does not need any services running in your firewall (DNS, NTP, proxy), there should not be any problems when blocking.
But best is to work with whitelisting instead blacklisting. Just allow what you need, everything else gets blocked by default rule.
Quote from: hbc on May 30, 2020, 11:11:28 PM
You can check them in firewall/diagnostics/pfTables. There should be two autogenerated aliases: one for IPv4 and one for IPv4.
Hmm... It's not there on my system
It shouldn't be either. "This firewall" translates to "self" for pf, as explained in "man pf.conf" it resolves to
Quote
...or the self keyword, in which
case all addresses assigned to the interface(s) will be added to the
table.
I don't think we have a topic yet about these special nets in our docs.
So if I am configure the firewall rules for LAN, for example, in those rules "This Firewall" would be all of the addresses assigned to the LAN interface?
as well as other other addresses assigned to this machines other interfaces (WAN address for example).
I understand, thank you.
Maybe you can offer a suggestion then. I am trying to properly firewall an IoT network. I would like the devices to have unrestricted access to the internet, but not be able to access the LAN, or the OPNSense GUI, ssh on the router, etc.
I have two networks: LAN and IoT. For the IoT network have these rules:
- Pass from any UDP to IoT address port 53 (for DNS)
- Block from any to LAN net
- Block from any to This Firewall
- Pass from IoT net to any (internet access)
Which seems to do what I want, but the only issue is there seems to be a bunch of ICMP packets aimed at the IoT address. I'm assuming some of my devices are pinging for connectivity or similar. Should I just ignore that or let just ICMP stuff in?
To be honest, quite often I just drop icmp in these situations too, although icmp packets are also used to send network status updates (such as the ones for PMTUD).
If everything works as expected, I probably wouldn't be too worried, if you experience transfer issues (with larger packets), you might want to consider allowing at least some icmp traffic.