Messages

Hi, good ask. From my point of view there is not one way to go. There are multiple roads to follow, just what you like most.
I'm no pro on this topic, but after my extended search/reading/trying; I came to this setup:

Opnsense with Adguard Home plugin + as upstream DNS Opnsense Bind (with DNSSEC) (with NO DNS Forwarders)

This way only the DNS Root servers get queried, and not one DNS server has all your queries, most privacy other than with DoH DoT DNSCrypt.

to be sure: After you changed the hit from allow to drop, you have to go to [intrusion detection - administration - rules] and hit [Apply]
have you done that?

+1 i'm curious about the developments also. This is very useful when using an open wifi, e.g. at the airport, and not being able to use a vpn on it to securely connect to your home devices, email etc. 

I still have the CSV file that was exported and imported. In this file this rule isn't there. (And nobody would like to have such a rule ;-))

Makes no sense to me. What does this dump?

# pluginctl -g filter.rule


Cheers,
Franco

when I run this now I get:

pluginctl -g filter.rule
[]

this was in the export file I made of the old rules with the added magic appeared rule, before deleting it:

Code Select Expand

@uuid,enabled,statetype,state-policy,sequence,action,quick,interfacenot,interface,direction,ipprotocol,protocol,icmptype,icmp6type,gateway,replyto,disablereplyto,log,allowopts,nosync,nopfsync,statetimeout,max-src-nodes,max-src-states,max-src-conn,max,max-src-conn-rate,max-src-conn-rates,overload,adaptivestart,adaptiveend,prio,set-prio,set-prio-low,tag,tagged,tcpflags1,tcpflags2,categories,sched,tos,shaper1,shaper2,description,source_not,source_net,source_port,destination_not,destination_net,destination_port
3af43003-284b-4680-ab3f-faffe9391068,1,keep,,1,pass,1,0,opt3,in,inet46,any,,,,,0,0,0,0,0,,,,,,,,,,,,,,,,,,,,,,,,0,any,,0,any,
I think the export / import tool seems to do something when there is an error mentioned. If I interpreted the various notifications around this on the forum correctly.

This looks related also:
https://forum.opnsense.org/index.php?topic=50651.0

I have my imported CSV list still here and looked through them. There is no allow all rule there.
Since I have all the rules with a description it was easy to see that there was none without one like the screen capture above.
When searching for WAN I did not find an allow all rule.

Maybe you can replicate this also for this out of the blue rule.

Found it! Some little bug. Thanks Patrick.
Your simple "there must be some rule allowing this" made me wonder if the deleting of the old rules has done its job or not.

And there I went through the old interface rules and there was one rule left on WAN! So the delete all (old)rules with [Remove all legacy rules] in the wizard, did not do it all. Maybe a bug there? The wizard forgot to remove one by rather just adding an important one you do not want to have!

IPv4+6 *    *    *    *    *    *    *           

Here are the top rules for wan
There is no allow for Opnsense GUI 444 or SSH 22 in the WAN rules.

I found an export as CSV button on the bottom right of the (WAN)rules. When I export this and search for 444 to find the Opnsense Gui port 444 rules, I only find my created own block rule on WAN and on LAN my created allow as "anti lockout" rule.

So with the WAN block rule for the OPNsense GUI port, I closed the external exposure of the Login page.
But I did not have to do this before, I did not wanted to have the OPNsense gui externally exposed.
And the same for the SSH port 22 that I had to add a block rule for on WAN also.
Is there something I can look at, what is not already done? To narrow this further down

Ok, narrowed it further down. It has something to do with the new WAN rules than(?) The block rule on top there did not work, but:

When I add a block rule in the [Any floating] section with a block rule for the OPNsense GUI port on WAN ->port closed!

N.B. found an error in my wan rule. I used source port instead of destination port as with the floating rule. now Opnsense GUI port is blocked with the WAN block rule on top.

Humm. good guess to test..
Disabled Nginx completely. no longer the 403 Forbidden, but the OPNsense gui login page is there.

I did another reboot, no difference.
See the screencapture of the interfaces - lan is there.

I have now (as a last resort) added a HTTP server for the wanip:GUI port in Nginx with no locations to get an 403 Forbidden if you enter the wan ip externally.

I have added a block rule on wan for SSH port 22 (below my created block GUI port that did not work), the ssh port is now externally no longer open.
So i closed this down to the opnsense gui port externally.

disabled the anti-lockout rule.
I checked Firewall: NAT: Destination NAT
and the two rules on top are gone.

still OPNsense gui reachable.
all dubbel checked, on 5g (wifi disabled), no vpn.
tried an other laptop with extrnal vpn to the wan ip and also gui reachable.

I have not changed my lan or wan interface during upgrade or after converting to the new ones and removing the old rules.
When I try to disable the anti-lockout rule, I can not, it is not "clickable" / "editable" (?) and stays enabled