Text only | Text with Images

OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: wgloes on December 23, 2020, 10:32:05 PM

Title: Standard rule "let out anything from firewall host itself"
Post by: wgloes on December 23, 2020, 10:32:05 PM
I'm new with OPNsense but not with firewalls in generally.
My scenario is:
- OPNSense FW without NAT as the second FW behind an external FW
- There are some networks connected to the OPNsense FW to be separated
- "Green" interface goes to the external FW
- "Internal Interface like the name said is internal

Contrary to other FW it seems like that the IP packets will be routed over different rules inbound and outbound (see attachment). Is this by design is there a missconfiguration or is it the kind how the log is displayed?

Wolf
Title: Re: Standard rule "let out anything from firewall host itself"
Post by: allebone on December 23, 2020, 11:59:40 PM
The inbound packet hits the green interface first and rule processing occurs there. The outbound packet hits the internal interface first and is processed there. This is why you see that. It is important it works this way so you can create appropriate rules. For example perhaps only a single machine on the lan should be allowed to send packets out on port 25. Because of how nat works a nat pinning attack could try coax another machine to reply out on port 25 on your internal lan. An appropriate rule only allowing a single machine to have access to do this would effectively block that.
Title: Re: Standard rule "let out anything from firewall host itself"
Post by: wgloes on December 24, 2020, 11:23:51 AM
If I understand you correctly, I've to write two rules (one for incoming and one for outgoing packets) to have full control over the packet flow through the firewall? In the case of using the standard rule, I can control the incoming packets only by a dedicated rule because the standard rule is an outgoing rule.
Title: Re: Standard rule "let out anything from firewall host itself"
Post by: chemlud on December 24, 2020, 11:32:01 AM
No, search for "stateful firewall". A rule is only needed for the first package in each direction, the reply is allowed by a state. Golden rule: NO rules on WAN needed...
Title: Re: Standard rule "let out anything from firewall host itself"
Post by: wgloes on December 24, 2020, 12:19:54 PM
I think there is a slight misunderstanding or misinterpretation on my side. I'm more bothered by the global standard rule, that allows all outgoing traffic not only from the firewall itself but also for all networks and interfaces. And this is the last rule at "Floating". If there is no other blocking or pass rule with dedicated hosts/ports/networks etc. rule before this last rule all outgoing network traffic is allowed if I'm correct.
Title: Re: Standard rule "let out anything from firewall host itself"
Post by: allebone on December 24, 2020, 02:51:06 PM
Best practice it to only allow outbound ports as needed. The default allow all out is only because this is traditionally how firewalls worked and is expected by most people that their outbound traffic be allowed.
Title: Re: Standard rule "let out anything from firewall host itself"
Post by: chemlud on December 24, 2020, 03:24:10 PM
Quote from: wgloes on December 24, 2020, 12:19:54 PM
And this is the last rule at "Floating".

Have a look at "Source" for this floating "let out anything from fw itself".
Text only | Text with Images