OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: bewue on January 31, 2019, 12:29:19 pm
-
Currently I have created firewall rules on several interface-tabs.
The firewall rules of some interface-tabs are basically the same.
I would like to summarize these interfaces in a group interface:
IPv4 ICMP LAN1 Net * Other Net
IPv4 TCP LAN1 Net 443 Other Net
...
"LAN1 Net" is the directly connected network on the interface-tab in the example.
"Other Net" is the same on all interfaces-tabs i want to group.
These rules effectively prevent spoofing the source IP.
In order not to maintain all rules on every interface I want to create them on a group interface only once.
A rule on the group interface would look like this:
IPv4 TCP Group-Interface 443 Other Net
But now spoofing would be possible.
Packages with any source IP from "Group-Interface" networks could be sent from
any interface from "Group-Interface" to "Other Net".
It seems that anti-spoof rules are automatically created (on top in the rules list):
block drop in log on! xn4 inet from 10.10.0.0/24 to any
Would be the "quick" keyword in this rule enough to solve my problem?
Is there a fundamentally different solution for my problem.
-
no ideas?