OPNsense Forum
English Forums => General Discussion => Topic started by: Paul Eschenbach on October 24, 2018, 03:45:53 am
-
Hi all,
I'm a little new to firewalls so please bear with me if my questions seem basic and simple. BTW I LOVE this OPNsense firewall!
So basically I want to stop all incoming traffic from the Internet from reaching a PC on my internal network. There is a vendor who keeps trying to remote into this PC to disable my software.
I made two rules..... one to block incoming traffic, and one to block outgoing traffic from the PC to the Internet (simply to test the rule). Neither seem to work. The PC can still surf the net and ping outside IP address. I have attached a screen shot of the rules I made for review...... obviously the internal PC is 172.19.0.11. The interface these rules are on is the "WAN" interface.
ANY help would be greatly appreciated.
What am I doing wrong?
-
You are applying the rules to the wrong interface. This needs to be applied to the LAN interface to prevent outgoing traffic.
Also you contention that someone from the Internet can remote into the PC is wrong as by default the firewall blocks all incoming traffic.
-
Hi!
Since you're new to FW, allow me to further explain:
As @bigops said, the ideea is that the Hollander PC is not reachable from the internet to LAN, but quite contrary, most likely there is an app or a service on Hollander PC that calls home to Hollander servers, hence OPNsense permits the traffic based on default rule ”Default allow LAN to any rule” (the same rule that permits internet traffic for everything in your LAN), then establish e connection/ session for that communication from the app/ service on Hollander PC to Hollander Head Quarter Servers, and everything that comes back as a reply from Hollander HQ servers to Hollander PC is bound to that already established session, so the communication is successful both ways. It is important to acknowledge the fact that software disabling action is not initiated by the vendor, it is only the response (reply) action your vendor set for the software to be taken at the moment when the client app/ service will initiate contact to their servers successfully!!! (!) This is important!!! :)
This happens because OPNsense is a stateful firewall, so a reply on an already established session (on the firewall, the session's state is established & ON) is always permited without the need to have mirroring rules on WAN for every rule you have on LAN.
It might be helpful for you too (it is for me) to imagine a router like a road junction:
- roads getting into and leaving from the junction are the NICs (Network Interface Cards) and cables/ antennas
- the junction itself is the router box
- the traffic signs and rules are the ACLs and firewall rules
- the authority establishing traffic signs and rules for that junction and the policeman occasionally present in the middle of the junction, directing traffic, is you, yourself! ;)
- the most important part, however, is to find the proper way of placing rules and signs: this particular sign (FW rule), because it enforce this particular effect, must be placed before the junction (for in traffic) or after the traffic (for out traffic) and on this particular road.
Al the best in the routing world, as well as in the real world! :)
-
Yes that all makes perfect sense, and I figured it was an app on the Server connecting with HQ causing these problems and this is why I simply want to stop all traffic going in or out to this PC. It no longer needs updates or has any reason what-so-ever to communicate with the Internet.
So are my rules correct but simply applied on the wrong interface? Do I simply need to recreate them on the LAN interface?
Again sorry I'm just learning this firewall....
Thank you,
Paul.
-
This is very frustrating....... none of these rules are working. I tried on the WAN, on the LAN, and even "floating" but nothing is working. I'm setting the rule from the machines IP to the firewall's WAN ip and applying it on the LAN interface with traffic in BOTH (any / first match) direction.
The machine can still surf the net and ping ip addresses.
Really wish this products documentation was better. What am I doing wrong? I really need to get this thing blocked.
-
:))))))
Don't block from PC's IP to FW's IP, you'll simply lock your access from that PC to OPNsense:
Is Facebook's IP (or Google, or opnsense.org or any other destination in entire internet for that matter) = WAN IP?
NO
Then, traffic is allowed.
This matter (confusion) is not a matter of documentation, I'd say... Rather a matter of interpretation: the fact that the traffic must pass through the firewall to reach internet DOESN'T mean that if you block the intermediate destination the traffic will be blocked and wouldn't reach the final destination. :)
-
So are my rules correct but simply applied on the wrong interface? Do I simply need to recreate them on the LAN interface?
It's wiser to apply the block at the first and most close to the conditional element point: why would the FW evaluate rules twice for the same datagram, for this case once for LAN which allows it ("Default allow LAN to any rule" rule, which is evaluated when your datagram reaches LAN) , and again for WAN which blocks it if you so created a rule? ;)
-
This is very frustrating....... none of these rules are working. I tried on the WAN, on the LAN, and even "floating" but nothing is working. I'm setting the rule from the machines IP to the firewall's WAN ip and applying it on the LAN interface with traffic in BOTH (any / first match) direction.
The machine can still surf the net and ping ip addresses.
Really wish this products documentation was better. What am I doing wrong? I really need to get this thing blocked.
Without knowing what is the rule that you have applied to the interface it is difficult to guess what is happening. There are a couple of ways to achieve this. If you use the attached rule it will block all traffic from that IP. So ensure that you are not accessing the firewall from the IP which is being blocked. As the firewall evaluates the rules sequentially then you can insert rules before this rule to allow traffic to networks that you need to allow.
-
Hey guys. Sorry for the delay but I can only stay late every other week when I don't have my kids to work on this stuff.
Any way, I tried applying this rule again and only succeeded in blocking the laptop that I was working on instead of the IP address I was tying to block. Not sure how the heck that happened as my laptop is getting a DHCP address and is completely different from the static IP address I blocked in the rule........... yet the "blocked" PC can still access the web and ping outside.
The rule is simple, and was placed as a "floating" rule.......
PROTO SOURCE PORT DESTINATION PORT GATEWAY
IPV4 172.19.0.11/24 * * * *
This rule blocks my laptop (172.19.0.104/24) but does NOT block 172.10.0.11/24.
Now how does that happen?