Hi
Im having hard time trying to figure out " let out anything from firewall host itself" default rule and WAN outbound rules.
Whenever default rule is in place everything works fine, but my goal was to block anything leaving firewall and just allow manually ports and services that can communicate out.
I commented out a default "let out anything" rule in a filter.lib.inc file and it worked as expected no access to outside world, but then when i added a floating quick WAN allow anything out rule, exactly the same as default i still can't access anything. Doesn't matter if i put a rule inside a WAN or in a floating section, even tho the rule is exactly the same as filter.lib.inc auto rule it doesnt' work if i add it manually, i had to uncomment filter.lib.inc rule in order to get back online.
I also tried putting quick WAN block anything out rule, since the auto rule is normal not quick. It did blocked access to outside world, but then again even if i put WAN floating allow out rules on top of the list, before the block one i can't get internet access.
For a record i just learning/playing around with opnsense so it's nothing critical and i know that OUT rules are rarely used, i just wanted to play a litle bit with it to understand it better but i can't figure out what i am doing wrong, and spent most of the day googling and still haven't found a explanation why does it work this way.
OUT rules aren't used because they don't work like everyone seems to assume that they do.
What exactly are you attempting to do? Lock down the firewall itself or the devices connected to it?
If you provide more information about your overall goal and setup then we can help you best achieve it.
I tried to lock firewall itself and allow only selected traffic (like updates) while allowing connected devices on a different VLANS which have IN rules in place allowing them to connect to internet to still connect to the internet.
I assumed that its better and more secure to have tailored OUT rules instead of let anything OUT ?
acieslar, you have described that you want to allow only certain devices to connect to the internet, and that you have IN rules in place on those vlans. Good. What cannot get in one end won't get out the other end, so with IN restrictions any further OUT rule is superfluous, even if it operated as you expected.
Your comment about "lock firewall itself and allow only selected traffic (like updates)" implies that you think updates are initiated from the internet? Not so. Without NAT or a specific address rule, the firewall blocks everything on the internet by default. Updates are initiated by device enquiry, which we discussed in the first paragraph.
Without specific reason and knowledge, leave the "outside" of the firewall alone. It knows what it's doing.
Quote from: acieslar on October 20, 2023, 05:49:25 PM
I tried to lock firewall itself and allow only selected traffic (like updates) while allowing connected devices on a different VLANS which have IN rules in place allowing them to connect to internet to still connect to the internet.
I assumed that its better and more secure to have tailored OUT rules instead of let anything OUT ?
What updates are you referring to? The ones that OPNSense does or something like Windows Updates?
I'm still unsure as to your use case.