OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: lar.hed on August 01, 2020, 11:19:07 am
-
So it seems that for some reason I get my firewall group interface rules evaluated AFTER interfaces, although the documentation clearly says the opposite: https://docs.opnsense.org/manual/firewall.html#processing-order (https://docs.opnsense.org/manual/firewall.html#processing-order)
(https://docs.opnsense.org/_images/blockdiag-ec0d5aaf9b949b5a5e296533bff3fe5714d8763f.png)
Bakground: I have two interface groups: ALL_WAN (my FTTH WAN connection and my Netgear M1 LTE (MR1100) modem connected over Ethernet cable), and then ALL_LAN (which is my main PC on it's own port, server, printer with scanner and finally Mediasystem with a WiFi Accesspoint). So suddenly I decided to add a filter to my group ALL_LAN, now for some reason I have decided to add 80/443/22 (counter as I call this PASS filter) to the group interface - and expected that the anti-lock-out-rule (autogenerated) on LAN (which covers 80/443/22) not to get any traffic. Wrong assumption for me anyway, I get traffic on that anti-lock-out rule - why is that? If the group interface rule works, it should never get to the interface rule as I interpret the documentation and picture above? What am I missing?
-
Maybe the correct question is: Auto-generated rules are classed as System Defined?
-
Nope this is not correct either - there is something and I can not put my finger on it for the moment - I get traffic to pass even though I think I have a drop it all rule in the end.... Oh man some day I might learn whatever I am missing...
-
the first rule that matches is processing the traffic. rules defined and processed after that rule are not doing anything to your traffic.
the diagram you showed should be up to date, but the first matching rule will be processed. if it is a pass rule traffic will pass, if it is a drop rule it will be dropped.
please correct me if i am wrong.
the diagram explaines in what order the different types of rules are processed. It is important that for example the lockout rules are proccessed before the user defined rules are processed and the floating rules need to be processed before interface groups and interfaces...
If you define an allow all rule on floating rules this will override everything you define on interface groups or interfaces. (Bad idea)
-
I have change a lot after I wrote this post - I am testing I guess one could say. Since I am in testing mode, just for anyone concerned: There is another firewall inside for the parts I consider more sensitive than what is inside current setup - this is just to protect what I have IF I make any bad mistakes - and trust me mistakes I do all the time - but so far none has opened up the firewall from outside usage so to speak (still no open ports for incoming traffic, which is as planed for now).
I think I basically know what I have been fighting so to speak, and this I guess is part of the learning process.
Okay: My biggest mistake, and it is a rather small one I say, is that I decided to start using Alias a bit to soon for my own best. It gave me more challenges than I guess I liked. Anyway, with 4 different interfaces for intranet and then 2 interfaces for WAN (FTTH + LTE modem) I thought why not add the four intranet interfaces into a group? ALL_LAN it is called (there is a ALL_WAN also, for the two WAN connections). In the beginning everything was more than okay, even the WAN Gateway Group worked... The world was okay 8)
Then I decided to "whitelist" everything - and here I did a few things that well worked kind of, but it also gave med headaches that I did not need. Anyway, what happend was that started to add rules on "ALL_LAN" that allowed everything I wanted, and I called them "Counter" since when I "inspected" them I got usage statistics counter from them (we could say). And all still looked good - The world was still okay 8)
Then I added the "Drop anything in/out" on the ALL_WAN. Still, the world continued to cruise around ::)
THEN I did the same on "ALL_LAN" - and well the world still seemed to run around med :-\
Except the Failover gateway stopped working, and the access to my Netgear LTE modem, well it stopped using it's own rule all of a sudden (but still worked) - and I could not for the world get how this was enabled without that specific rule... But we could still access the world with no problems, so no worries... :o
Then this morning I started to get the hands on this, or at least I think I starting to get this: Since I have all intranet interfaces in one Alias, I will get in/out traffic per port (say HTTPS for example, I need in for one part in one interface, and out for the other part on the other interface to get it working) - that was one of my questions that is now cleared.
AND then I decided to separate the internal traffic per port from the external traffic - however the order was wrong, first I had rules for external access - then the internal ones - this gave an unwanted "counter" response - or the wrong rules was used sometimes for internal access instead of only external... After moving them around (internal before external so to speak) - the counters decided to show more correct statistic - or the right rules started to be used for what I expected...
The other thing that was getting my scratching my head was the failover stopped working: Well since I decided to whitelist ports, and the default setup was on interface and not the ALL_LAN, that now ends with "Drop All" made this not working - after adding the WAN Gateway Group (into external access rules in ALL_LAN) this is now restored, and then I moved the access rule for the Netgear LTE modem into ALL_LAN also, in the top of rules list.
So long story short: Alias is great - but it is very easy to do stuff in the wrong order. ;)
The world is great yet again ;D ;D ;D
I now added rules for redirect NTP and DNS traffic also, that works. So this morning a lot has happened that been on the list so to speak - and the world still spins ;D
-
Thank you for sharing :-)
Enjoy the learning journey!