Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: joebb on May 03, 2025, 03:06:05 PM

Title: Firewall Rules Behavior Between Interfaces Question
Post by: joebb on May 03, 2025, 03:06:05 PM
Hi there,

I did my best to find an answer to this question, so apologies if it's been asked before. I also read the guide on Rules on the docs page.

Let's say I have two interfaces, A and B, on distinct non-overlapping subnets, each with their own Interface rules (no rule groups or anything like that).

And let's say all of A's interface rules start with Source = A net. And let's say B's interface rules also say Source = A net

If I send traffic from A to B, and none of A's rules match, yet one of B's rules matches, does B's matching rule get run at all? What about if B's rule says Source = *

Thanks in advance!
Title: Re: Firewall Rules Behavior Between Interfaces Question
Post by: Patrick M. Hausen on May 03, 2025, 03:32:16 PM
Quote from: joebb on May 03, 2025, 03:06:05 PMIf I send traffic from A to B, and none of A's rules match, yet one of B's rules matches, does B's matching rule get run at all? What about if B's rule says Source = *

Rules assigned to an interface direction "in" are only applied to packets arriving on that interface regardless of the addresses used in the rules.

So a rule on interface B will never be applied to a packet arriving at interface A.
Title: Re: Firewall Rules Behavior Between Interfaces Question
Post by: joebb on May 03, 2025, 06:21:34 PM
Hi Patrick,

Thanks for the answer.

Ok, I think I understand.

So for interface rules when using Source Address = * it is basically the same as Source Address = Interface net? I'm curious if a client can fake its source address and bypass the Source Address = * rule. They obviously wouldn't be able to see replies but some DDoS attacks are based on setting a source ip address to a different machine's IP so that they get spammed.
Title: Re: Firewall Rules Behavior Between Interfaces Question
Post by: EricPerl on May 03, 2025, 09:26:02 PM
Quote from: joebb on May 03, 2025, 06:21:34 PMSo for interface rules when using Source Address = * it is basically the same as Source Address = Interface net?
Not quite, because there could be a router downstream. * is any, Interface_net is the interface's subnet.

Quote from: joebb on May 03, 2025, 06:21:34 PMI'm curious if a client can fake its source address and bypass the Source Address = * rule. They obviously wouldn't be able to see replies but some DDoS attacks are based on setting a source ip address to a different machine's IP so that they get spammed.
I'm not sure what you have in mind. * is any, hard to bypass.
Title: Re: Firewall Rules Behavior Between Interfaces Question
Post by: Patrick M. Hausen on May 03, 2025, 10:59:31 PM
If you use source = any in an interface in rule, any client can use any source address it wants even one not on the interface in question.

If you use source = IF net that's not possible.
Title: Re: Firewall Rules Behavior Between Interfaces Question
Post by: joebb on May 04, 2025, 03:56:33 AM
Got it, that all makes sense. Thanks for the answers!
Text only | Text with Images