Messages

The idea of an option to make the system generated rules "floating" is excellent and would give me what I want which is at heart full control of MY firewall which runs on MY network. The base block all rule could be generated as the only system generated rule.

I do think there is benefit in always being able to see what the officially recommended system generated firewall rules are so you can see how you have varied them.

Does QUICK operate within a section ?

If no QUICK match is found in the section then is the section processed again looking for the last match ?

OR

Does QUICK operate across the entire rule set first ?

If no QUICK match is found in the ruleset then is the ruleset processed again looking for the last match ?

[choose]

Thank you for the interesting and enlightening posts.

I agree there is immense value in the system generated rule sets to streamline enabling firewall features.

The examples showing the complexity the automated system encapsulates are very helpful.

I really like the way that some system rules are linked back to the enabling GUI fields.

Perhaps I could restate my suggestion as follows:

Add a new mode setting to OPNSENSE called Security Mode:

Default Security Mode - Current behaviour

Strict Security Mode - New behaviours/features to be:

• Default rule is that all traffic is blocked unless explicitly approved.
• The default system generated rule to pass any traffic from the firewall itself is removed.
• If a firewall service needs a rule to work, that rule must be created and approved by the firewall administrator.
• The system generated ruleset could include recommended rules required for firewall operation.
• The system generated rules are all created in a disabled state (except for the default administration access rules).
• The firewall administrator can choose to enable the system generated rules.
• If the firewall administrator wishes they can clone the system generated rules and edit them as they see fit.

Separately, it's suggested we have a new CLI command to "RecoverAdmin InterfaceName" to salvage administration access if a user locks themselves out. I guess this would inject floating, first in sequence quick rules limited to the specified interface.

Also, can we please expand on the description of how the quick / last match rules work ?

Also, can we add an option to the GUI to view the active rule set (eg view /tmp/rules.debug)

[because]

So you have the awful rule "anything from the firewall may pass".

Point your PC clients at the firewall's DNS for DNS services.

The DNS server is part of the firewall and therefore its traffic is passed automatically.

Any rule you define at the floating or interface level filtering traffic on the outbound WAN to a defined external DNS server address [eg OpenDNS] will fail to filter your outbound DNS traffic because it is passed based on the fundamentally flawed, higher priority, system generated "permit all from the firewall itself" rule.

I'll bet that the KGB/CCP just loves the fact that OPNSENSE runs an open gateway on the internal DNS server by default and you can't seem to delete that stupid base rule.

Oh yes, plenty of malware uses DNS to exfiltrate data by talking to its preferred DNS server. Nicht wahr ?


A key point is that a firewall should obey its own rules.

If there are missing rules and firewall stuff won't work, then the fix is to add or modify the rules so that it does work.


The ONLY rule that should exist by default at a system level on a firewall is:

• Block Everything on Every Interface whether Inbound or Outbound

Thereafter, traffic can only be passed by explicit approval of the firewall administrator.

Why ? A firewall is NOT meant to be a router. It is meant to be an obstruction first, foremost and always.



There is a need to define a new mode of OPNSense called "Strict Security Mode" which enforces one base rule of:

• Block Everything on Every Interface whether Inbound or Outbound

An installation step will require you to nominate a management interface so inbound SSH and HTTPS can be permitted on that interface (assume LAN).

A life saving console command should be available to "permit management access on interface x" in case you mess up your rules and find yourself in need of resurrection :)



OPNSense should also consider the risk of changes in its software introducing new "system generated rules" that contradict user (firewall administrator) wishes.

A firewall administrator should have explicit control over all of the rules defined in a firewall they manage.

OPNSENSE should NOT automatically generate firewall rules.

It is especially poor for one of those rules to be the base rule that says pass any traffic to any destination where that traffic originates from the firewall.

There are two assumptions behind that which says that (i) all traffic from the firewall is traffic the firewall administrator would wish to allow to pass and (ii) a bad actor, knowing the nature of the system generated rules, would be incapable of duping the firewall to do things not intended by the firewall administrator or its designers.