Show Posts
1
General Discussion / [Answered] Firewall rules, Have I read this wrong or just doing it the hard way
« on: July 31, 2019, 09:22:50 pm »
Hi, from the reading I have done with testing to confirm, for me when I have Guest network and DMZ network it seems the only way to truly lock them down is to use floating rules.
For ease or reading in this "Interface" is referring to a logical interfaces setup inside opnsense, "Network port" then I referring to the physical network port (or logical if opnsense is virtualised) coming into the firewall from the outside world.
From what I can tell, the normal firewall rules only work on traffic received from the network port and not coming from the interfaces (e.g. intervlan communication).
If I have this correct then when creating a DMZ I prefer to be able to set this up once and know that no traffic can get to this network or come out of this network once it has been set.
With the standard rules on the DMZ interface I can make sure no traffic can go to any other network but I can't stop other traffic coming in, this needs to be done on each other interface.
This means that when ever a new interface is created I need to remember all the networks that need to be isolated and create new rules for them to make sure they stay isolated.
Have I got this correct ?
For now I've flicked over to floating rules for these networks and basically said any traffic going to this network not from this network is blocked.
Is this the best way or I'm I looking at this old school?
For ease or reading in this "Interface" is referring to a logical interfaces setup inside opnsense, "Network port" then I referring to the physical network port (or logical if opnsense is virtualised) coming into the firewall from the outside world.
From what I can tell, the normal firewall rules only work on traffic received from the network port and not coming from the interfaces (e.g. intervlan communication).
If I have this correct then when creating a DMZ I prefer to be able to set this up once and know that no traffic can get to this network or come out of this network once it has been set.
With the standard rules on the DMZ interface I can make sure no traffic can go to any other network but I can't stop other traffic coming in, this needs to be done on each other interface.
This means that when ever a new interface is created I need to remember all the networks that need to be isolated and create new rules for them to make sure they stay isolated.
Have I got this correct ?
For now I've flicked over to floating rules for these networks and basically said any traffic going to this network not from this network is blocked.
Is this the best way or I'm I looking at this old school?