Show Posts
1
General Discussion / Need some explanation on how to block outgoing traffic without floating rule
« on: July 10, 2018, 12:09:46 am »
Hello Team,
I reached to install OpnSense on a proxmox virtualization station.
To keep the thing simple I use Network Intel Interface and set 2 interfaces :
- em0 with a public IP bound to vmbr0 which is the public bridge
- em1 with a private IP bound to vmbr1 which is a dummy interface in Proxmox context
Adding extended gateway in the webui ease the setting of the firewall. So my Gateway has different public IP from em0 .
Everything seems to run accordingly to what I want but I have something that I can not understand : why do I need to use a floating rule to block all outgoing traffic ?
All my rules are actually set on the Wan interface to allow ingoing traffic , the in system default rule on this interface is to block all incoming traffic. But at the opposite all outgoing traffic is allow on this interface and if I set up a rule to block all outgoing interface, it does not work and I get this message in the live view : let out anything from firewall host itself
So I read that floating rule is evaluate first and allow to spread, for what I understand, the policy on all interface. I could block all outgoing traffic by setting a floating rule but I would know why this works like that ? Why I can not set a deny all policy directly on the WAN interface ?
Thank you for the job, regards,
DualBoot
I reached to install OpnSense on a proxmox virtualization station.
To keep the thing simple I use Network Intel Interface and set 2 interfaces :
- em0 with a public IP bound to vmbr0 which is the public bridge
- em1 with a private IP bound to vmbr1 which is a dummy interface in Proxmox context
Adding extended gateway in the webui ease the setting of the firewall. So my Gateway has different public IP from em0 .
Everything seems to run accordingly to what I want but I have something that I can not understand : why do I need to use a floating rule to block all outgoing traffic ?
All my rules are actually set on the Wan interface to allow ingoing traffic , the in system default rule on this interface is to block all incoming traffic. But at the opposite all outgoing traffic is allow on this interface and if I set up a rule to block all outgoing interface, it does not work and I get this message in the live view : let out anything from firewall host itself
So I read that floating rule is evaluate first and allow to spread, for what I understand, the policy on all interface. I could block all outgoing traffic by setting a floating rule but I would know why this works like that ? Why I can not set a deny all policy directly on the WAN interface ?
Thank you for the job, regards,
DualBoot