OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Potentially conflicting firewall direction instructions?
« previous next »
  • Print
Pages: [1]

Author Topic: Potentially conflicting firewall direction instructions?  (Read 1626 times)

shallpion

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
Potentially conflicting firewall direction instructions?
« on: May 23, 2020, 07:27:20 am »
Hi, thanks for reading my post :) I am using OPNsense 20.1.7-amd64 and I notice that in the Firewall->Rules->LAN (could be any interface), if I edit any rule and also click the small "i" icon next to "Direction" tab, an instructional message appears:

Quote
Direction of the traffic. The default policy is to filter inbound traffic, which sets the policy to the interface originally receiving the traffic.

However if I read the online manual https://docs.opnsense.org/manual/firewall.html, it says

Quote
our default is to filter on incoming direction. In which case you would set the policy on the interface where the traffic originates from.

I think if I understood it correctly, the one on the web interface sounds correct and the online manual perhaps is a little misleading. Should this be fixed? Thanks :)
« Last Edit: May 23, 2020, 07:33:46 pm by shallpion »
Logged

shallpion

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
Re: Potentially conflicting firewall direction instructions?
« Reply #1 on: May 23, 2020, 07:47:39 pm »
Ok so after reading the book "Building firewall with OpenBSD and pf" and did some experiment on my opnsense box, I think in some sense both quotes are correct. Here is a quote from the book regarding "direction"

Quote
8.1.3 Inbound or Outbound (in, out)?

The next required keyword that appears after either the block (followed by optional drop, return-icmp, return-icmp6, return-rst,or return keywords) or the pass keyword is the direction keyword.There are two direction keywords you can use: in or out. They are known to cause some confusion, especially when the firewall is equipped with more than one network interface, and when NAT rules are used along with filtering rules.The key to understanding when a packet matches either the in or the out rule is remembering that these directions are relative to the firewall itself. Ifa packet is sent from an external host to the firewall, it matches the in rule on the firewall external interface; when it is sent from the firewall itself, it matches the out on the external interface. Similarly, packets sent from internal hosts to the firewall and destined to external hosts will match in rules on the interface connecting your private network segment to the firewall and out rules on the firewall external interface.

I think my original confusion was that, exactly as the book says, "in" and "out" is relevant to the firewall as a system, not the interface the traffic is passing. So the online manual in this sense can certainly be interpreted as "the traffic originates from interface IF1 because that is where the traffic is received by the firewall box"
« Last Edit: May 23, 2020, 08:06:44 pm by shallpion »
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Potentially conflicting firewall direction instructions?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2