Messages

1

20.1 Legacy Series / Re: Firewall Rules Not Executing In Order

« on: July 23, 2020, 07:39:10 pm »

As a test a created a new firewall group called "Internet_Access" and added only my internal interfaces to it "LAN, VLAN1, VLAN2, VLAN3, VLAN4, VLAN5"

I created the following 2 rules in "Internet_Access" as a test

Code: [Select]

Rule #: 1
Description: FG_Internet_Access - Allow My Laptop
Action: Pass
Protocol: IPv4 TCP/UDP
Source: H_MyLaptop
Port: *
Destination: ! N_Internal_Networks
Port: *

Rule #: 2
Description: FG_Internet_Access - Block Internet Access
Action: Block
Protocol: IPv4 *
Source: *
Port: *
Destination: ! N_Internal_Networks
Port: *

The results are very strange to me it allowed very few to "PASS" but "BLOCKED" more

PASS:

Code: [Select]

__timestamp__ Jul 23 13:08:52
ack
action [pass]
anchorname
datalen 0
dir [in]
dst 23.41.185.132
dstport 443
ecn
id 41110
interface em0
interface_name lan
ipflags DF
label FG_Internet_Access - Allow My Laptop
length 48
offset 0
proto 6
protoname tcp
reason match
rid 396c2761adcb1337d5dc65ff744048a7
ridentifier 0
rulenr 103
seq 1760592743
src 192.168.10.10
srcport 1951
subrulenr
tcpflags S
tcpopts
tos 0x0
ttl 128
urp 65535
version 4

BLOCK:

Code: [Select]

mp__ Jul 23 13:08:28
ack 693860067
action [block]
anchorname
datalen 0
dir [in]
dst 31.216.147.136
dstport 443
ecn
id 49096
interface em0
interface_name lan
ipflags DF
label FG_Internet_Access - Block Internet Access
length 52
offset 0
proto 6
protoname tcp
reason match
rid 7b03c448b9cc820f0876734f8f45ba38
ridentifier 0
rulenr 105
seq
src 192.168.10.10
srcport 29367
subrulenr
tcpflags A
tcpopts
tos 0x0
ttl 127
urp 65330
version 4


2

20.1 Legacy Series / Firewall Rules Not Executing In Order

« on: July 23, 2020, 05:16:28 pm »

Hi All,

Setting up OPNsense for the first time, and created a couple of test rules in my test VM to see how everything works, but having an issue with the rule firing order. I have 4 basic rules for testing the firewall and I was expecting the "first match" to apply to my traffic, but looks like it's applying the "last match" even though I have all rules set to "quick"

LAN Rules:

Code: [Select]

Description Action Quick Interface Direction TCP/IP Version Protocol Source Source Port Destination Destination Port
Allow Gateway Access Pass Yes LAN IN IPv4 ANY LAN net ANY LAN address ANY
Allow Subnet Access Pass Yes LAN IN IPv4 ANY LAN net ANY LAN net ANY
Block Access To All Internal Networks Block Yes LAN IN IPv4 ANY LAN net ANY N_Internal_Networks ANY
Block Access To All External Networks Block Yes LAN IN IPv4 ANY LAN net ANY ANY ANY

Firewall: Log Files: Live View:

Code: [Select]

__timestamp__ Jul 23 10:56:46
ack 3701013923
action [block]
anchorname
datalen 1460
dir [in]
dst 192.168.10.10
dstport 25793
ecn
id 0
interface em0
interface_name lan
ipflags DF
label Block Access To All Internal Networks
length 1500
offset 0
proto 6
protoname tcp
reason match
rid 310440840809ac6ac297342b87a2292f
ridentifier 0
rulenr 342
seq 2133222556:2133224016
src 192.168.10.251
srcport 443
subrulenr
tcpflags A
tcpopts
tos 0x0
ttl 63
urp 65535
version 4

Firewall: Log Files: Plain View

Code: [Select]

filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,355,192.168.10.251,192.168.10.10,443,1533,315,PA,257669456:257669771,2691555010,65535,,
filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,52,192.168.10.251,192.168.10.10,443,1533,0,A,,2691555010,65535,,nop;nop;sack
filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,40,192.168.10.251,192.168.10.10,443,1533,0,A,,2691555010,65031,,
filterlog[2196]: 342,,,0,em0,match,block,in,4,0x0,,63,0,0,DF,6,tcp,52,192.168.10.251,192.168.10.10,443,1533,0,A,,2691554341,65535,,nop;nop;sack

HOTE: 192.168.10.251 is my test OPNsense VM and 192.168.10.10 is my laptop connecting to the web GUI.

I was expecting rule ""Allow Subnet Access" to be applied not rule "Block Access To All Internal Networks"

Thoughts/ideas?

3

20.1 Legacy Series / Re: How To Create Updated ISO

« on: July 19, 2020, 04:05:19 am »

https://github.com/opnsense/tools

make dvd

@mimugmail thanks for the info, was hoping for a simplier way than rebuilding from sources, becuase does'nt it take "hours" for the build process?

Also attempting to setup a build system for the first time, and not even on step 1 and already ran into an issue and not sure what to do:

Code: [Select]

root@freebsd:~ # pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-1.14.6...
Newer FreeBSD version for package pkg:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1103000
- running kernel: 1102000
Ignore the mismatch and continue? [Y/n]: n


Code: [Select]

root@freebsd:~ # freebsd-version
11.2-RELEASE-p15


4

20.1 Legacy Series / How To Create Updated ISO

« on: July 17, 2020, 11:57:07 pm »

Hi All,

New to OPNsense/FreeBSD and busy testing/building to replace my EdgeRouter,

I was wondering how do I get/build the latest version in ISO format? Is there a way to use svf, zsync, jigdo, xdelta or something similar to build an updated ISO? I'm not looking to add any additional packages to the default install or remove any, just want to always have the most recent ISO ready to install without having to do additional update installs after initial setup.

Please let me know if anyone can help. Thanks

5

General Discussion / Re: Newbie Questions About Firewall Rules

« on: February 07, 2020, 08:13:15 pm »

For those interested I think I have figured out all 4 of the below . #4 was figured out using this post https://forum.opnsense.org/index.php?topic=9245.0

1. Block outgoing DNS requests from any internal interface going to the internet
2. Allow outgoing DNS requests from any internal interface going to my internal DNS server (AD)
3. Allow my internal DNS server (AD) to send DNS requests to specific internet DNS hosts (Currently Google DNS)
4. Redirect requests from any interface for DNS to my internal DNS server only

Since the NAT created a linked rule under the "ALL_LAN" group I decided to move my rules from "Floating" to the "ALL_LAN" group instead to keep everything together, the only rule I currently have in "Floating" is my "Block All IPv6" rule.

ALL_LAN Rule:

Code: [Select]

1. Allow AD DNS to Internet:
Action Interface Direction Protocol Source Destination DPort
Pass ALL_LAN Out TCP/UDP H_Internal_DNS H_External_DNS P_DNS

2. Linked rule created via the NAT
Action Interface Direction Protocol Source Destination DPort
Pass ALL_LAN In TCP/UDP Any H_Internal_DNS P_DNS

3. Block Any Internal Device/Network from Internet DNS (just in case)
Action Interface Direction Protocol Source Destination DPort
Block ALL_LAN In TCP/UDP Any Any P_DNS

Floating Rule:

Code: [Select]

Block All IPv6:
Action Interface Direction TCP/IP Protocol Source SPort Destination DPort
Block ALL_LAN, WAN Any IPv6 Any Any Any Any Any


1. Block everything from the LAN/VLANS to the WAN (Internet)
2. Then I selectively allow specific devices and ports to the WAN based on Host Groups and Port Groups,         

I also created the following rules in each LAN/VLAN interface to by default block all traffic to the Internet

Code: [Select]

Action Interface Direction TCP/IP Protocol Source Destination DPort
Pass <Interface> in IPv4 Any <interface> net <interface> address Any
Block <Interface> In IPv4 Any <interface> net N_Private_Networks Any
Block <Interface> In IPv4 Any <interface> net Any Any

This system is not live yet so this is all theory right now I'm hoping to put the OPNsense firewall in production over the weekend , if I get approval from the family

Thoughts/Comments/Suggestions are welcome. Thanks

6

General Discussion / Clearing Automatically Generated Rules

« on: February 06, 2020, 01:01:04 am »

Hi All,

How do I go about clearing the "Automatically Generated Rules" under "Floating", the reason I ask is I followed the instructions here https://www.thomas-krenn.com/en/wiki/OPNsense_disable_IPv6 on how to disable IPv6 (not completely as I would like) and when I look at "Firewall: Rules: Floating" I still see the following:

Code: [Select]

Protocol Source Port Destination Port Gateway Schedule Description
IPv6 IPV6-ICMP * * * * * * IPv6 requirements (ICMP)
IPv6 IPV6-ICMP (self) * fe80::/10,ff02::/16 * * * IPv6 requirements (ICMP)
IPv6 IPV6-ICMP fe80::/10 * fe80::/10,ff02::/16 * * * IPv6 requirements (ICMP)
IPv6 IPV6-ICMP ff02::/16 * fe80::/10 * * * IPv6 requirements (ICMP)

I also added an extra "Floating Rule", since "Firewall: Settings: Advanced" and unchecking "Allow IPv6" only created a "Floating" rule for IN

Code: [Select]

Direction = ANY
Protocol Source Port Destination Port Gateway Schedule Description
IPv6 * * * * * * * Block All IPv6

Also noticed this rule appearing twice:

Code: [Select]

Protocol Source Port Destination Port Gateway Schedule Description
IPv4+6 TCP/UDP * * * * * * block all targetting port 0
IPv4+6 TCP/UDP * * * * * * block all targetting port 0

I have rebooted and they still show up, any help/suggestions would be appreciated. Thanks

7

General Discussion / Newbie Questions About Firewall Rules

« on: February 05, 2020, 10:48:21 pm »

Hi All

I’m new to OPNsense coming from Ubiquiti EdgeRouter and wanted to test out OPNsense (Virtualized), I have everything installed (20.1) and setup with the basic configuration, now I want to re-create the firewall rules I have on my EdgeRouter in OPNsense and have some questions, and am looking for some guidance/advice if possible.

Some background, this is for my home network, I live in a rural area so internet access it limited and I’m using a hotspot, so with this configuration I have strict rules on my EdgeRouter:

1. Block everything from the LAN/VLANS to the WAN (Internet)
2. Then I selectively allow specific devices and ports to the WAN based on Host Groups and Port Groups,         

So I re-created all my Hosts, Network and Port Aliases that I have on my EdgeRouter in OPNsense (BTW what a PITA that there is no shell command interface for creating these, took me a while doing it via the GUI as I have a lot )

After much reading (still reading) I have come to the conclusion that how EdgeRouter and OPNsense do firewall rules is a lot different, so I have to start from scratch, the thing the continues to confuse me is the “Floating” rule but after some more reading at this point I’m going to call the “Floating Rules” - “Global Rules”, i.e. Rules you can apply to multiple interfaces/groups/vlans at once.

That all been said, I tried to create my first 2 rules and wanted to do a sanity check to make sure what I’m understanding/doing is correct.

1. Block outgoing DNS requests from any internal interface going to the internet
2. Allow outgoing DNS requests from any internal interface going to my internal DNS server (AD)
3. Allow my internal DNS server (AD) to send DNS requests to specific internet DNS hosts (Currently Google DNS)
4. Redirect requests from any interface for DNS to my internal DNS server only

I think I have #1, #2 and #3 created correctly not sure how to do #4 (on EdgeRouter it’s done via a DNAT)

I created a “Group” for my LAN, and 5 test VLANS (VLAN10, VLAN20, VLAN30, VLAN40 and VLAN50) and put them in an interface group called “ALL_LAN”

Created “Aliases”
Hosts: H_Internal_DNS (IP of AD server)
Hosts: H_External_DNS (IP of Google DNS Servers)
Ports: P_DNS (53)

“Floating Rule”

Code: [Select]

1. Allow AD DNS to Internet:
Action Interface Direction Protocol Source Destination DPort
Pass ALL_LAN Out TCP/UDP H_Internal_DNS H_External_DNS P_DNS

2. Allow Any Internal Device/Network to AD DNS
Action Interface Direction Protocol Source Destination DPort
Pass ALL_LAN In TCP/UDP Any H_Internal_DNS P_DNS

3. Block Any Internal Device/Network from Internet DNS
Action Interface Direction Protocol Source Destination DPort
Block ALL_LAN In TCP/UDP Any Any P_DNS

I'm not not sure how I would create the rule/NAT for redirecting any DNS requests from “ALL_LAN” to my Internal AD DNS

I also have another rule same as above but for NTP, and have the same issue

Is using “Floating” rules the correct place to create these types of rules, where I want to rule to apply to all interfaces, or should I use the “ALL_LAN” interface for these types of rules instead

I read that “Floating” rules have priority 1, then Group Interfaces have priority 2, then last is the actual interfaces themselves, is this correct?

Also am I correct in what I read that you can apply both IN and OUT rules on the interfaces itself and that is no longer is the interface an IN only rule?

I also have a question about my normal firewall rules, but will wait for a response to this question before adding another question to the list

Thanks for any help or time you all can offer.