1
17.7 Legacy Series / How badly did I mess up with floating rule?
« on: November 06, 2017, 06:20:24 am »
My first installation of OPNsense two days ago, after a couple of years with pfSense. I set up the usual, which is several subnets to compartmentalize traffic: IoT, home, guests, VOIP. I wrote some firewall rules, which are the usual for me: I give one subnet with a single management box a pass/any/any, and I use that one to access and manage the other subnets, which are walled off from RFC1918.
So here's where it all goes wrong. When I went back into the system today to make a firewall change I saw, to my horror, that I had not put the rule on the subnet's interface. Instead, I had put it into the floating rules. Moreover, it was automatically a quick rule; pass any any. And, strangely enough, the subnet I thought it should be under had no rules at all. That's something that should not have been able to happen, considering that I was getting out to the net just fine on that box; unless it was the pass any any that had made that happen.
Since then, I have been trying to figure out what happened, and what the consequences might have been. It seems to me that such a floating rule completely opens up the firewall, because it applies to the WAN in both directions. Indeed, I did a quick experiment by running Shields Up on the system with the rule in place, and sure enough it showed 80 and 443 open. Holy crow. I checked my logs for problems, but I'm not even sure I would find any. The configuration history did not go back far enough to show where exactly I had made the error.
Two days of having the router open to the WAN, with a not particularly strong password on it--what to do? Is there anything on that box that is going to be salvageable? My systems inside are all individually firewalled, except for an access point--so I don't think there's anything that could have jumped--but still....
This careless error, a combination of fatigue and of unfamiliarity with the interface, has me spooked. I don't actually have any clear idea what it means yet, or even how floating rules work, because the documentation on them is fairly scanty. Can anybody help, please?
So here's where it all goes wrong. When I went back into the system today to make a firewall change I saw, to my horror, that I had not put the rule on the subnet's interface. Instead, I had put it into the floating rules. Moreover, it was automatically a quick rule; pass any any. And, strangely enough, the subnet I thought it should be under had no rules at all. That's something that should not have been able to happen, considering that I was getting out to the net just fine on that box; unless it was the pass any any that had made that happen.
Since then, I have been trying to figure out what happened, and what the consequences might have been. It seems to me that such a floating rule completely opens up the firewall, because it applies to the WAN in both directions. Indeed, I did a quick experiment by running Shields Up on the system with the rule in place, and sure enough it showed 80 and 443 open. Holy crow. I checked my logs for problems, but I'm not even sure I would find any. The configuration history did not go back far enough to show where exactly I had made the error.
Two days of having the router open to the WAN, with a not particularly strong password on it--what to do? Is there anything on that box that is going to be salvageable? My systems inside are all individually firewalled, except for an access point--so I don't think there's anything that could have jumped--but still....
This careless error, a combination of fatigue and of unfamiliarity with the interface, has me spooked. I don't actually have any clear idea what it means yet, or even how floating rules work, because the documentation on them is fairly scanty. Can anybody help, please?