OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: bewue on January 31, 2019, 12:29:19 pm

Title: Interface groups / IP spoofing
Post by: bewue on January 31, 2019, 12:29:19 pm
Currently I have created firewall rules on several interface-tabs.
The firewall rules of some interface-tabs are basically the same.
I would like to summarize these interfaces in a group interface:

Code: [Select]
IPv4 ICMP   LAN1 Net    *     Other Net
IPv4 TCP    LAN1 Net    443   Other Net
...

"LAN1 Net" is the directly connected network on the interface-tab in the example.
"Other Net" is the same on all interfaces-tabs i want to group.

These rules effectively prevent spoofing the source IP.

In order not to maintain all rules on every interface I want to create them on a group interface only once.
A rule on the group interface would look like this:

Code: [Select]
IPv4 TCP    Group-Interface   443    Other Net
But now spoofing would be possible.
Packages with any source IP from "Group-Interface" networks could be sent from
any interface from "Group-Interface" to "Other Net".

It seems that anti-spoof rules are automatically created (on top in the rules list):

Code: [Select]
block drop in log on! xn4 inet from 10.10.0.0/24 to any
Would be the "quick" keyword in this rule enough to solve my problem?
Is there a fundamentally different solution for my problem.
Title: Re: Interface groups / IP spoofing
Post by: bewue on February 08, 2019, 09:11:18 am
no ideas?