Show Posts
1
19.7 Legacy Series / Interface rule traffic direction
« on: June 06, 2019, 04:12:32 pm »
Hi,
I have been reading through old posts on this forum about the ability to specify direction for rules on individual interfaces, and I find the reasoning for not allowing this to be lacking, at best.
There is an explanation in
https://forum.opnsense.org/index.php?topic=6587.msg30876#msg30876
which says, among other things:
To answer the question directly: When the receiving interface is at another site or an interface behind which other networks exist, you would have to implement rules on some inbound interface - which may or may not be practical. Even for a single site with many interfaces an otherwise simple task becomes tedious. For example, if you have a number of networks that are supposed to be able to access the database network, you have to create inbound rules on all those interfaces instead of creating a single one on the database interface - which is where authority should be. Floating rules are difficult to read, easy to misconfigure, and not an elegant solution to this problem.
We need to be able to set direction for normal interface rules. Having this available would make it a lot easier for us to implement network policies, especially when multiple sites are interconnected. Today the closest to a solution for this is to use floating rules which let you set the direction, but this is error prone and misleading.
What would be the actual downside of having a direction flag available as an advanced setting for rules on _all_ interfaces? Perhaps with the caveat that explicit drop [quick] stateless rules would also have to be created to make them effective.
Hoping I'm making sense,
/Eirik
I have been reading through old posts on this forum about the ability to specify direction for rules on individual interfaces, and I find the reasoning for not allowing this to be lacking, at best.
There is an explanation in
https://forum.opnsense.org/index.php?topic=6587.msg30876#msg30876
which says, among other things:
Quote
This has nothing to do with the direction of the packets you want to filter accordingly. Normally, enforcing policies is on (1.) [receiving interface] and rarely on (2.) [sending interface], because why would you forward something through a firewall if you are going to discard it when it is ready to exit?
To answer the question directly: When the receiving interface is at another site or an interface behind which other networks exist, you would have to implement rules on some inbound interface - which may or may not be practical. Even for a single site with many interfaces an otherwise simple task becomes tedious. For example, if you have a number of networks that are supposed to be able to access the database network, you have to create inbound rules on all those interfaces instead of creating a single one on the database interface - which is where authority should be. Floating rules are difficult to read, easy to misconfigure, and not an elegant solution to this problem.
We need to be able to set direction for normal interface rules. Having this available would make it a lot easier for us to implement network policies, especially when multiple sites are interconnected. Today the closest to a solution for this is to use floating rules which let you set the direction, but this is error prone and misleading.
What would be the actual downside of having a direction flag available as an advanced setting for rules on _all_ interfaces? Perhaps with the caveat that explicit drop [quick] stateless rules would also have to be created to make them effective.
Hoping I'm making sense,
/Eirik