I have rules on my DMZ interface as well as my LAN interface blocking traffic from DMZ to LAN but I can still browse to web resources on the LAN network from a web browser on a workstation in the DMZ. I know I am missing the obvious but I am not currently seeing it.
Attached are my DMZ and LAN rules.
The message in the Live Log for the DMZ -> LAN traffic is: let out anything from firewall host itself - which is tied to an autogenerated floating rule which I cannot disable.
Hi bitTwiddler,
Do I do not see any mistake in your rules.
When installing my OPNsense I did the following steps:
- run installation of the image via the serial console
- Assign the interface in the console: LAN and WAN
- run the wizard of the WebUI
- add the interface for DMZ
After that devices in the DMZ are not allowed to anything: DNS, internet access, access the LAN. I have to define rules where I allowed the devices in my DMZ what I want. Block by default.
So why did you change this general behavior of your setup?
Kind Regards
Thomas
The third rule on the DMZ interface is an odd one - I'd delete that. And the first rule on the LAN interface won't do anything, so can be deleted too.
Thank you for the great feedback! Much appreciated.
Greenlan, that rule was not in my original ruleset but more of a hail mary pass to try to contain DNZ - which didn't work. I will remove that rule. I also removed the 1st LAN rule. Good catch!
Thogru, I pretty much followed the same path you outline with a few exceptions. I followed your steps 1-3 as part of moving off Smallwall to OPNsense last year. That worked very well. I just moved DMZ over from Smallwall and brought over the three simple rules. The only difference was that I set up a NAT port-forward for PiHole DNS. So, I didn't change any of the default behavior. If you are aware of why the floating rule " let out anything from firewall host itself" is firing I'd give my right arm to know.
FYI - I am running OPNsense v21.1.4-amd64
I found one typo - a CIDR block suffix of /1 rather than /32 which was allowing everything on LAN.
I am doing regression testing now.
After cleaning up the typo my DMZ rules look like this. Since everything not explicitly passed should be blocked, I should be able to replace the last three rules with "allow to WAN". However, that does not work for me for some reason.
"WAN net" doesn't mean "everything on the internet". It just means the network configured on the WAN interface
Understood. I guess I was thinking that OPNsense knew WAN is the outbound interface to the Internet based upon the fact that it has the default gateway.
I am not a big fan of default allow rules but I don't see a workaround in this case.