Hello all,
The default/auto PF (Firewall) rules for the OPNSense are good, but once you really start customizing your router you might want to modify one or more of those rules. I'm not sure I would want to disable all of them, and more, I want to clone them into these 'auto rules' according to use (WAN/LAN) and modify them.
Specifically the sshlockout/HTTPS-redirect port forwarding appears to never go away after I've unchecked and saved into the WebGUI. To make sure I don't get locked out, I've written my own NAT Port Forward rules for 80 (into DMZ) 443 (to router ip for LAN) and 443 (to DMZ from WAN ips) configured with a "not from source blocklist" into them.
Still the "rdr rule" will fire for port 443 (and 80). It would appear that this built-in rule is handling Port Forwards for IPs that would be on my blocklist which would make sense, I cannot edit or see the 'rdr rule' redirect rule outside maybe the 'sshlockout' rule which stays around in-spite of being disabled.
It would seem to disable these you should check-mark the options on the System -> Settings -> Administration -> "HTTP Redirect", and the Firewall -> Settings -> Advanced -> "Disable anti-lockout", but this does not disable the built-in 'rdr rule' Port Forward and 'sshlockout' Pass rules.
Can anyone else verify this affect? Unexpected 'rdr rule' logs in your "Firewall: Log Files: Live View"?
NOTE: If you do not make the correct Pass rules and Forwarding rules, you could lock yourself out of your device!!
Example:
The first screen shot is a Rule in Floating, and LAN is a Group with all internal Interfaces, this should allow me to access the router.
The second screen shot is evidence that the 'rdr rule' is firing as I believe it should not be.
Thank you for your time reading this, please feel free to correct/ask me detail about my setup/intent!!
The anti-lockout rule is visible in Firewall > Port forward
It disappears if you disable the rule via settings (and save) AT YOUR OWN RISKS.
It you want/need to use port forward for the standard ports, then move the WebGUI to alternate ports (System > Settings > Administration).
The anti-lockout rule will follow these settings. The interface is not your choice (lan or opt1, or wan if no other interfaces exist).
The sshlockout rule is a BLOCK rule following bad attempts from a specific IP.
The offending IP is added to the corresponding alias for a while.
Nobody is going to gain access with that rule...
My sshlockout never disappears, further, the option if unchecked "allows" you in from LAN, but before you check mark the option you will want to have added user level rules (manual rules) to allow yourself access to the SSH/WebGUI ports you have set.
To point, I am using a different SSH port, and I wonder if that is causing a conflict now.
The sshlockout happens for both the OpenSSH and the WebGUI ports - so, hence my focus there.
Found the issue, starting at this line, it will always add the rule?
https://github.com/opnsense/core/blob/93ee6e0236769435a1f628fcef17ecbbca395f0d/src/etc/inc/filter.lib.inc#L279C1-L279C5
Again, I'm afraid you're mixing the sshlockout BLOCK firewall rule (which can't be disabled) and the anti-lockout port forward rule (which can be disabled via a setting).