"Quote from: Patrick M. Hausen on Today at 12:25:18 PMYou can use them in interface specific rules to enforce a correct source address similarly to some commercial firewalls having builtin anti-spoofing.Ah I see, that makes sense. I will just make the network aliases manually and redo my rules. I think there's only a couple that will need dynamic IPv6 addresses but I can probably work around that or just make dynamic aliases for those hosts. Thanks for your help!
E.g. a rule on LAN as a best practice should use "From: LAN net" and not "From: any". At least for unicast traffic.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: How do predefined net aliases work?
Today at 12:38:11 PM #2
General Discussion / Re: How do predefined net aliases work?
Today at 12:21:31 PMQuote from: Patrick M. Hausen on Today at 12:07:08 PMProbably. Don't know from the top of my head but that would explain the behaviour you observed.Just tried to test this and got this error when trying to save my alias:
'Entry "192.168.1.20/32" is not a valid hostname, IP address or range.'
Seems host aliases have to be without netmask. Another thing, when I first discovered this behavior I tested it by removing the predefine interface net aliases and then all traffic was blocked except traffic from PXKSM1. So hosts from the same network are allowed only when I put one of these interface net aliases in the source. I suppose a simple fix would be to just create my own network aliases, but then I question what the purpose of these predefined ones is.
#3
General Discussion / Re: How do predefined net aliases work?
Today at 12:01:11 PMQuote from: Patrick M. Hausen on Today at 11:59:03 AMI didn't put a netmask/prefix in at all. Just the exact IP, like "192.168.1.20". Does it then assume the whole network if I don't?Quote from: silmarine on Today at 11:54:51 AMThe source_net "PXKSM1" is a host alias I created
What netmask/prefix length did you use for that host alias? Needs to be /32 for IPv4 or /128 for IPv6 to match only a single host.
#4
General Discussion / Re: How do predefined net aliases work?
Today at 11:54:51 AMQuote from: Patrick M. Hausen on Today at 11:12:02 AM@silmarine did you possibly use source or destination invert in your floating rule that did not work as expected?no, definitely not. I have only a couple of floating rules and they are intended for general rules from a couple of interfaces where similar clients to be, but are segmented for other reasons. For example, I have 3 networks were i would like to allow SSH from and to the same set of networks. So it instead of created 3 different rules I created on floating. Only thing is from one of those interfaces I only need a single host allowed. I exported my rule set and pasted this example rule here, if that helps to understand it.
| action | quick | interfacenot | interface | direction | ipprotocol | protocol | icmptype | icmp6type | source_net | source_not | source_port | destination_net | destination_not | destination_port | divert-to | gateway |
| pass | 1 | 0 | opt1,opt5,opt10 | in | inet46 | TCP | PXKSM1,opt1,opt10 | 0 | opt3,opt5,opt6,opt7,opt8 | 0 | ssh |
The source_net "PXKSM1" is a host alias I created, in the UI the source_net "opt1" and "opt10" look like "clients net" and "client_vpn net". Interface "opt5" is where "PXKSM1" is. However I can do ssh connections to the destinations from any host in opt5. I have also confirmed that this rule is the one being matched in the live logs, as I gave it a description that is listed in the "Label" field of the logs.
#5
General Discussion / Re: How do predefined net aliases work?
Today at 10:48:12 AMQuote from: Patrick M. Hausen on Today at 10:41:38 AMAh okay, so like policies without source IPs? Feel like the source entry should just be grayed out in floating rules or something, if that's the case.Quote from: silmarine on Today at 10:36:50 AMWhat is floating used for then?
E.g. globally permit ICMP echo requests.
#6
General Discussion / Re: How do predefined net aliases work?
Today at 10:36:50 AMQuote from: Bob.Dig on Today at 10:24:35 AMDon't use floating in the first place, it is not meant for that. First learn the basics (and then you still don't use floating). Post a screenshot of your new rules if it still doesn't work out for you.What is floating used for then?
#7
General Discussion / How do predefined net aliases work?
Today at 09:32:37 AM
Hey everyone, I recently setup my first opnsense firewall. I set up many rules with multiple interfaces (floating) and set the source/destinations with the predefined interface net aliases. After some troubleshooting on another thing I happened to realize that a connection was allowed that shouldn't have been. I changed the rule around to figure out why and what I discovered is that if I put in any predefined interface net alias into a rule it will allow all the networks from the interfaces in the rules. So if I have a floating rule with interfaceA and interfaceB, sources as exact-host-from-interfaceA-network and the predefined interfaceB net alias, then the rule will still match traffic from interfaceA from any host in that network, instead of just the exact-host-from-interfaceA-network.
Is that expected? If I want it to work like I expect should I be making my own aliases for these networks? If I am to be making my own aliases, how am I supposed to do that with networks that change dynamically (public IPv6 subnetting with /64 from ISP)?
Is that expected? If I want it to work like I expect should I be making my own aliases for these networks? If I am to be making my own aliases, how am I supposed to do that with networks that change dynamically (public IPv6 subnetting with /64 from ISP)?
Pages1
