I have a (well one of many) opnsense community edition with a particular new need.
version info
QuoteOPNsense 21.7.2_1-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021
We have port 443 forwarded and access controlled using GeoIP. It greatly reduced the log noise, and the slow-moving brute force attacks that every so often triggered the mail server's auto-lockout defences. We do need to allow this access to a wide range of local IP addresses ( various ISPs, plus people do travel, and want to check their work mail while away). This has been an acceptable compromise 'til now.
The client has now signed up for a CRM service that requires 3 addresses from the Amazon cloud to also have access to port 443. The vendor has not been particularly impressive in their grasp of technical detail, and proposing access via a custom port (limited only to them) was met with consternation and clear lack of knowledge if it was even possible.
Is there a way to set up an alias that allows both the GeoIP and the CRM addresses?
I have been unable to figure this out from the documentation, and from just playing with my Dev firewall.
Some other method would be acceptable. The mail server is zimbra OSE, and implementing 2FA is in the works, but until then I'm hoping for an extra layer from the firewall.
Thanks in advance!
d.
QuoteIs there a way to set up an alias that allows both the GeoIP and the CRM addresses?
"Network group" alias type?
Quote from: sorano on September 14, 2021, 08:41:11 AM
Or just create two firewall rules, one for each separate alias.
This is essentially what I did. The vendor eventually gave us a list of 130 possible IP addresses (all apparently owned by Amazon). I made an accept rule for these IP addresses for the necessary ports and placed those first.
Then I placed the blocked "invert-source" GeoIP rule (block if not from the chosen GeoIP areas). Then the rest of the firewall rules.
So, thanks!
d.