what exactly is "This Firewall" as a destination?

Started by Steve28, May 30, 2020, 07:32:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 30, 2020, 07:32:40 PM
Is it all IPs associated with each interface?

If I have an IoT network and I have a firewall rule set to block any to "This firewall" does that have downsides I need to workaround?
May 30, 2020, 11:11:28 PM #1
this firewall are all addresses assigned to your firewall. You can check them in firewall/diagnostics/pfTables. There should be two autogenerated aliases: one for IPv4 and one for IPv4.

As long as your IoT network does not need any services running in your firewall (DNS, NTP, proxy), there should not be any problems when blocking.
But best is to work with whitelisting instead blacklisting. Just allow what you need, everything else gets blocked by default rule.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
May 31, 2020, 02:55:03 AM #2
Quote from: hbc on May 30, 2020, 11:11:28 PM
You can check them in firewall/diagnostics/pfTables. There should be two autogenerated aliases: one for IPv4 and one for IPv4.

Hmm... It's not there on my system
May 31, 2020, 11:31:55 AM #3
It shouldn't be either. "This firewall" translates to "self" for pf, as explained in "man pf.conf" it resolves to

Quote
...or the self keyword, in which
     case all addresses assigned to the interface(s) will be added to the
     table.

I don't think we have a topic yet about these special nets in our docs.
May 31, 2020, 03:40:02 PM #4
So if I am configure the firewall rules for LAN, for example, in those rules "This Firewall" would be all of the addresses assigned to the LAN interface?
May 31, 2020, 04:00:16 PM #5
as well as other other addresses assigned to this machines other interfaces (WAN address for example).
May 31, 2020, 04:58:39 PM #6
I understand, thank you.

Maybe you can offer a suggestion then.  I am trying to properly firewall an IoT network.  I would like the devices to have unrestricted access to the internet, but not be able to access the LAN, or the OPNSense GUI, ssh on the router, etc.

I have two networks: LAN and IoT. For the IoT network have these rules:

- Pass from any UDP to IoT address port 53 (for DNS)
- Block from any to LAN net
- Block from any to This Firewall
- Pass from IoT net to any (internet access)

Which seems to do what I want, but the only issue is there seems to be a bunch of ICMP packets aimed at the IoT address.  I'm assuming some of my devices are pinging for connectivity or similar.  Should I just ignore that or let just ICMP stuff in?
May 31, 2020, 06:33:10 PM #7
To be honest, quite often I just drop icmp in these situations too, although icmp packets are also used to send network status updates (such as the ones for PMTUD).
If everything works as expected, I probably wouldn't be too worried, if you experience transfer issues (with larger packets), you might want to consider allowing at least some icmp traffic.


Print
Go Up Pages1
User actions