Recent discussions about the automatic rules, as well as the odd session setup and logging behavior of OPNsense prompted me to take a closer look at the automatic "let anything out from the firewall itself" rule, and outbound rules in general.
Statekeeping behavior in pf is a bit unusual, in that (apparently, from testing - let me know if my logic is flawed):
- For outbound flows originating from the firewall itself, an appropriate (matching, statekeeping) outbound pass rule is required. This is the first purpose of the automatic "let anything out from the firewall itself" rule. A matching inbound pass rule is not required for bidirectional communication.
- For inbound flows (with an appropriate pass rule) terminating on the firewall, no matching outbound pass rule is required for bidirectional communication.
- For inbound flows (with an appropriate pass rule) traversing the firewall, an appropriate outbound pass rule is required to set up (effectively) a second session to allow traversal and bidirctional communication. This is the second purpose of the automatic "let anything out from the firewall itself" rule.
This complicates the task of restricting outbound communication from the firewall a bit. (Not attempting to evaluate usefulness/desirability.)
(Of course, many combinations of stateful and stateless rules can be used to effect bidirectional communication in ways not described above, but it would be tough to come up with a good reason to do so.)
Sample application of outbound rules: Given the very general nature of the automatic "let anything out from the firewall itself" rule, specifically that it does not specify an overlying protocol (IPv4/v6)(something not configurable in the OPNsense UI), I prefer to enable logging on it and configure interface-based "quick" pass rules to override it, that inverse match on interface address (I consider the inversion operator harmful, but since it is not going anywhere...) with logging disabled. These rules show up in the "Firewall: Diagnostics: Sessions"/"States" displays (with custom descriptions/labels), but do not show up in "Firewall: Log Files: Live View", optimizing the available display space. The "let anything out from the firewall itself" rule only appears in the live view on flows originating from the firewall itself (including NAT) or (potentially) unusual situations. I want to see the latter in particular, as they may indicate a problem with my topology and/or ruleset. (Chances are that most non-IP packets will never hit pf, but logging it can't hurt.)
That lack of overlying protocol is interesting, considering that the default drop rules have one:
"Default deny / state violation rule":
block drop in log inet all label "ecd3a310894625657c6591b80daa956a"
block drop in log inet6 all label "ecd3a310894625657c6591b80daa956a"
vs.
"let anything out from the firewall itself":
pass out log all flags S/SA keep state allow-opts label "1232f88e5fac29a32501e3f051020cac"
Could be a quirk of pf, but I haven't checked.