Messages

1

General Discussion / Re: Default firewall rules between VLANs

« on: December 11, 2018, 10:50:52 am »

Thanks again,

I am used to work with ASA and Juniper firewalls but I like the idea of using OPNsense given the flexibility that provides and how easy is to get simple tasks done so well. e.g. DHCP, NTP servers, etc.

I most definitely will spend some time trying to verify the firewall integrity. I already installed an IDS system inside the network to ensure that no threats are passing. So far i can say that it is behaving a lot better than ASA firewalls.

I will keep the forum posted with the findings.

2

General Discussion / Re: Default firewall rules between VLANs

« on: December 11, 2018, 12:55:30 am »

As a temporary quick workaround you can define a group containing all your VLANS and define an explicit block for inter vlan traffic.

Thanks so much for the suggestion. It worked quite well, exactly as expected. I created 2x groups; one for firewall management (note that I already ticked the setting: Disable administration anti-lockout rule but still allows the connections) and another for network devices management. With a block all rule at the bottom of the list - to only the management or firewall subnets respectively, otherwise it will block all traffic from all subnets, then a pass rule to the specific devices which required the connections (source, destination and port).

It makes me wonder if the actual intent is to create groups to control the access as opposed to adding rules to the interfaces themselves.

Looking at the logs, there is still a huge amount of pass connections from rule:

@82 pass out log route-to (em0 'WAN-IP') inet from 'WAN-IP' to ! (em0:network:1) flags S/SA keep state allow-opts label "let out anything from firewall host itself"

It does make me a bit uncomfortable not knowing exactly what it's being allowed. I guess that i need to continue looking to understand how to manage them.

3

General Discussion / Default firewall rules between VLANs

« on: December 09, 2018, 01:00:55 am »

Hi everyone,

I am experiencing some unexpected behaviour with firewall rules between VLANs.

The scenario is the following:

A client attempts to connect to the management switch interface via ssh. The client is connected to VLAN 310 with IP Address 10.20.10.175/24 and the management switch interface is connected to VLAN 300 with IP Address 172.20.0.3. See attached sketch (OPNSense VLAN).

My understanding is that if firewall rules are not defined, then all traffic should be blocked by default, as specified when the interface firewall rule set is empty: "No interfaces rules are currently defined. All incoming connections on this interface will be blocked until you add a pass rule". However, I found that some traffic still makes it through, even if rules are not defined. I can even see the details of the rule that allows it:

> lan_300_mgmt <- Dec 9 07:14:18   10.20.10.175:55763   172.20.0.3:22   tcp   let out anything from firewall host itself

Looking into the information details, I found that the communication is allowed by rulenr 81. which in my configuration is:

@81 pass out log all flags S/SA keep state allow-opts label "let out anything from firewall host itself"

Please note that this configuration was created by default and I don't seem to have control over it.

I could successfully configured a firewall rule to specifically block this connection, but It would be too difficult to block all the traffic that rule @81 is allowing:

x lan_310_inside_clients -> Dec 9 07:09:25   10.20.10.174:55561   172.20.0.3:22   tcp   USER_RULE

I am finding it hard to understand why this is happening.  The question is where or how can I change the configuration to ensure that all traffic is truly blocked by default? e.g. Is it possible to disable the firewall rule @81 to avoid the passing undesirable traffic. I am concerned that some unexpected traffic is allowed even though it hasn't specifically being configured in the firewall rules as it is happening in this example.