I know this is probably a basic concept but I am a noob - so apologies and I hope someone can help me.
I understand that rules are applied in sequence from top to bottom and I wanted to check I am on the right track.
I want to block access to port 2375 apart from my 2 docker hosts on the LAN interface.
Is this close? Thanks in advance.
rule1: allow port 2375 for alias containing my two docker hosts
rule2: reject port 2375 for LAN net
rule3: default allow LAN net
Put the docker hosts in a separate VLAN, otherwise you are engaged in security theatre. If there's something/someone you don't trust on your LAN, then you can't trust them not to spoof their source IP to by-pass your policy.
Better still, put the untrustworthy devices (IoT?) on their own VLAN/SSID and restrict them aggressively.
Thanks. It's only for my homelab setup and I like it simple. Manageable risk on my family LAN. Important data backed up off-site. Don't have any IoT that concerns me either.
Am I on the right track with the rules I outlined above?
Nope, sorry. The top two rules will never be invoked since traffic on the LAN will not go via the firewall. The firewall is a layer-3 router, so it will only control traffic from one subnet to another.
I see. Thanks for clarifying. That makes sense now I think about it and explains why I can't see anything in the live log when I expected to.
So is what I am trying to do not possible in opnsense unless I go down the VLAN route?
It is not possible with any firewall. Devices in the same network communicate directly with each other going through the switch without involving a router inbetween. A firewall is (in most cases) a router.
Right. Thanks for the clarification. Will delete my useless FW rules now. haha
I have now switched my docker hosts to use TLS authentication so I have some protection/security in place now.
I use NPM/LE/Portainer for https connections to docker. https://gist.github.com/bartsmit/9d7323ad2ff3d7a7afa98421e1e501f2