Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: nerd on March 25, 2024, 04:54:47 PM

Title: Automatically generated rules - allow any to any?
Post by: nerd on March 25, 2024, 04:54:47 PM
For every VLAN, including WAN, my FW has automatically created the following rule (hidden under "Automatically generated rules" pulldown menu.

Code Select

Protocol Source Port Destination Port Gateway # Schedule Description
IPv4+6*         * * *     * * * *     let out anything from firewall host itself


I would understand if the source would be VLAN_address, but not an allow any to any.
Since it is autogenerated, I can not simply delete or adapt this rule either.

Hopfully I am misinterpreting this rule? If not, where does it come from and how do I get rid of it?
Title: Re: Automatically generated rules - allow any to any?
Post by: jp0469 on March 25, 2024, 05:34:02 PM
What exactly is concerning you about those rules? I believe it's required for NAT functionality. Also, did you happen to notice the rule direction?
Title: Re: Automatically generated rules - allow any to any?
Post by: nerd on March 25, 2024, 05:56:07 PM
Quote from: jp0469 on March 25, 2024, 05:34:02 PM
What exactly is concerning you about those rules? I believe it's required for NAT functionality. Also, did you happen to notice the rule direction?

No, I did not notice the direction.
Direction is OUT, whereas 'normal' rules are IN. Much appreciate to point this out.

So basically my FW rules block/allow INcoming traffic and once allowed the FW needs a rule to let this traffic back OUTgoing to the destination VLAN?

Or do I still misunderstand this rule?



Title: Re: Automatically generated rules - allow any to any?
Post by: Patrick M. Hausen on March 25, 2024, 06:16:10 PM
Quote from: nerd on March 25, 2024, 05:56:07 PM
So basically my FW rules block/allow INcoming traffic and once allowed the FW ...
automatically sets up a state table entry that allows this same flow out wherever it is routed.

Quote from: nerd on March 25, 2024, 05:56:07 PM
... needs a rule to let this traffic back OUTgoing to the destination VLAN?
Nope. The "allow all out" rule is for traffic that did never come in anywhere. Like outbound DNS requests or NTP requests originating on the firewall itself. Download of updates. ICMP echo requests from gateway monitoring. These.

Hence the description: "let out anything from firewall host itself"
Title: Re: Automatically generated rules - allow any to any?
Post by: nerd on March 25, 2024, 07:10:57 PM
Quote from: Patrick M. Hausen on March 25, 2024, 06:16:10 PM
Nope. The "allow all out" rule is for traffic that did never come in anywhere. Like outbound DNS requests or NTP requests originating on the firewall itself. Download of updates. ICMP echo requests from gateway monitoring. These.
Hence the description: "let out anything from firewall host itself"

Mmm, then why do I see client<>server DNS traffic hitting this rule/label?

For example my client requesting DNS resolving from the server (not the FW).
In FIREWALL: LOG FILES: LIVE VIEW this shows up twice even though the FW should just pass the traffic:

client_vlan   OUT 2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   let out anything from firewall host itself   
server_vlan  IN   2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   My DNS rule


Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.


Title: Re: Automatically generated rules - allow any to any?
Post by: nerd on March 28, 2024, 10:39:17 AM
Quote from: nerd on March 25, 2024, 07:10:57 PM
Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.


Anyone understand this and willing to explain?  Pretty please?
Title: Re: Automatically generated rules - allow any to any?
Post by: Seimus on March 28, 2024, 12:47:34 PM
Quote from: nerd on March 25, 2024, 07:10:57 PM
Quote from: Patrick M. Hausen on March 25, 2024, 06:16:10 PM
Nope. The "allow all out" rule is for traffic that did never come in anywhere. Like outbound DNS requests or NTP requests originating on the firewall itself. Download of updates. ICMP echo requests from gateway monitoring. These.
Hence the description: "let out anything from firewall host itself"

Mmm, then why do I see client<>server DNS traffic hitting this rule/label?

For example my client requesting DNS resolving from the server (not the FW).
In FIREWALL: LOG FILES: LIVE VIEW this shows up twice even though the FW should just pass the traffic:

client_vlan   OUT 2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   let out anything from firewall host itself   
server_vlan  IN   2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   My DNS rule


Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.

What you see here is correct,

You are hitting In rule for you DNS and than you hit the allow all out rule default, as by default OPNsense permits all traffic EGRESS. Explicit deny is only by default in Ingress.

let out anything from firewall host itself
- Rule to pass Egress all traffic

let out anything from firewall host itself (force gw) 
- Rule to pass Egress all traffic originating from FW WAN interface

Check the Rule > floating, you have them at the bottom

Regards,
S.
Text only | Text with Images