OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: pongafence on May 31, 2018, 05:15:02 am

Title: Firewall Zones
Post by: pongafence on May 31, 2018, 05:15:02 am

Hi all,

Was wanting to know if the concept of "firewall zonies" has been or is going to be implemented into OPNsense.


Thanks,
D

Title: Re: Firewall Zones
Post by: fabian on May 31, 2018, 08:56:06 am

no and it won't because this is outdated (if you are talking about red, orange, green and blue zones like in ipfire). In OPNsense, any interface (virtual or physical) can be a wan uplink, dmz or an internal network. You can also group some interfaces for example your internal LAN interfaces.

Title: Re: Firewall Zones
Post by: franco on May 31, 2018, 11:12:36 am

For all intents and purposes, zones are interfaces in OPNsense. The definition is a bit fuzzy because interfaces can also be physical interfaces, but in general all interfaces in the menu with [NAME] or in the firewall rules tabs are zones.

Bridges make this a bit more complicated as well. But all in all it's just a naming thing that's hard to change without hurting language translations, documentation and ease of use for people used to M0n0wall, pfSense and OPNsense.


Cheers,
Franco

Title: Re: Firewall Zones
Post by: pongafence on May 31, 2018, 12:35:09 pm

Hi,

Thanks for that.  Funny you should mention it about being dated.

Anyway, more along the lines of how the likes of Fortinet, Cisco, CheckPoint etc.  How they create "Zones", then assign "interfaces", be it physical or virtual, and group them together.  And then using firewall rules that applied to "intra-zone" traffic, but still allow all traffic within a "zone" to flow without rules.

Title: Re: Firewall Zones
Post by: franco on May 31, 2018, 12:43:13 pm

You may have misinterpreted Fabian's comment about IPFire. It was not meant to include the vendors you mentioned.

Yes, an interface in OPNsense is a zone. You can change the underlying physical interface in the interfaces assignment page.


Cheers,
Franco

Title: Re: Firewall Zones
Post by: fabian on May 31, 2018, 01:00:45 pm

Quote from: franco on May 31, 2018, 12:43:13 pm

You may have misinterpreted Fabian's comment about IPFire. It was not meant to include the vendors you mentioned.

Probably yes - if somebody is talking about zones, I usually understand that this default policies are meant:
https://wiki.ipfire.org/configuration/firewall/default-policy

Title: Re: Firewall Zones
Post by: mimugmail on May 31, 2018, 01:02:42 pm

If you want to compare with Cisco IOS zones you should use floating rules.

Title: Re: Firewall Zones
Post by: pongafence on May 31, 2018, 01:17:50 pm

Ah yeah okay.  I was thinking about using Floating instead.  But then wasn't too sure if it'd achieve the same sort of thing.

Title: Re: Firewall Zones
Post by: franco on May 31, 2018, 01:22:37 pm

If we talk floating you can also do firewall groups ;)


Cheers,
Franco

Title: Re: Firewall Zones
Post by: mimugmail on May 31, 2018, 01:37:13 pm

Yep, look at floating or firewall groups, which way fits you best :)