Does floating rule without select any interface in rules apply to all interface?

[hsu]

Hello, thanks for spending time to see my question. I am a new user to the opnsense and the forum and not a English native speaker, if I make any mistake please forgive me.

The question I want to ask is that does that a floating rule without choose any interface apply to all interfaces? The setting I am using of the floating rule is to control the access of firewall control port(22,80,443). I already disable the anti-lockout rule, and I use a floating rule choose LAN interface to allow access to ssh and web gui, and another floating rule block all access to ssh and web gui. The question is about does that a setting without choose any interface (as in Attachment) apply to all interface? By trying to access from other interface and see the live log the answer seems is positive, but I can’t find any information in the document about whether it is a right way to setting. So I’m worry about if it will be change behavior after a update in the future or just my test is wrong and it did not block any traffic.

Update: This question in the subject title has been [SOLVED] but the title is too long to add the tag.

[Fright]

yes, apply to all interfaces
(see "PACKET FILTERING" section https://www.freebsd.org/cgi/man.cgi?pf.conf)
you can see the actual rule syntax in Firewall: Diagnostics: Statistics#rules

[hsu]

To Fright:
Thanks for your reply. I try to find to floating rules in Firewall: Diagnostics: Statistics#rules, and I think these should be the floating rules I am setting:

@89 block drop in log quick inet proto tcp from any to (self:6) port = https label "cf71bd279bf362b692660bb2087a81a9"
@90 block drop in log quick inet6 proto tcp from any to (self:6) port = https label "cf71bd279bf362b692660bb2087a81a9"
@91 block drop in log quick inet proto udp from any to (self:6) port = https label "0001e43c0bef4ff4e9024fe574d42dff"
@92 block drop in log quick inet6 proto udp from any to (self:6) port = https label "0001e43c0bef4ff4e9024fe574d42dff"
@93 block drop in log quick inet proto tcp from any to (self:6) port = ssh label "b44abaa9b56f07027e164eec809d325e"
@94 block drop in log quick inet6 proto tcp from any to (self:6) port = ssh label "b44abaa9b56f07027e164eec809d325e"
@95 block drop in log quick inet proto udp from any to (self:6) port = ssh label "177759f6467fe65f14333f0313a2577d"
@96 block drop in log quick inet6 proto udp from any to (self:6) port = ssh label "177759f6467fe65f14333f0313a2577d"
@97 block drop in log quick inet proto tcp from any to (self:6) port = http label "0db008d6c8271e5489cbc5041e7ffbc0"
@98 block drop in log quick inet6 proto tcp from any to (self:6) port = http label "0db008d6c8271e5489cbc5041e7ffbc0"
@99 block drop in log quick inet proto udp from any to (self:6) port = http label "423204b862c056f9cc6bff5c305bcf5c"
@100 block drop in log quick inet6 proto udp from any to (self:6) port = http label "423204b862c056f9cc6bff5c305bcf5c"

According the Manual Pages in the url, I find these statement:

PACKET FILTERING
...
PARAMETERS
     The rule parameters specify the packets to   which a   rule applies.  A
     packet always comes in on,   or goes   out through, one interface.  Most pa-
     rameters are optional.  If   a parameter is specified, the rule only   ap-
     plies to packets with matching attributes.    Certain parameters can   be ex-
     pressed as   lists, in which   case pfctl generates   all needed rule   combi-
     nations.
...
on   <interface>
      This   rule applies only to packets coming in on, or going out
      through, this particular interface or interface group.  For more
      information on interface groups, see   the group keyword in
      ifconfig.

So if I did not make mistake, it seems that if I do not choose any interface, the opnsense will not add the "on   <interface>" parameter into the rule. Then according the way PF deal the rule, when no "on <interface>" parameter is provided, the rule will apply to all interface.

Forgive me if I miss something. I have another question: does the way I use it follow the standard?  Is it possible opnsense change the actual rule it generate when no interface is choose in the future(for example, add a "on <interface>" parameter and with no interface was written and make the rule did not apply to any interface)?

Thanks again for your reply.

[Fright]

I have another question: does the way I use it follow the standard?

in part of using interfaces field - yes )
(I cannot reason about the meaning of the rules shown without knowing the purpose.)

Is it possible opnsense change the actual rule it generate when no interface is choose in the future

dont think so
you can always check the code (its opensource, right?  )

https://github.com/opnsense/core/blob/7c251db7207f6499dc094375e6a1b06f6f12346c/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php#L315
"rule constructor" will just add "" instead of "on {something}" if there is no interfaces selected

if something unexpected happens (allowing traffic that was expected to be blocked or vice versa) a good starting point is to enable logging for the default rules (System: Settings: Logging) and monitor firewall logs (Firewall: Log Files: Live View) imho

[hsu]

To Fright:
Thanks again for your reply.

in part of using interfaces field - yes )
(I cannot reason about the meaning of the rules shown without knowing the purpose.)

The purpose I use these rules is to only allow access to web gui and ssh of the firewall on the LAN interface. I have use a NIC assigned with LAN and will only connect it to a PC when I need to change the configuration of opnsense. I use some floating rules choose the LAN interface to allow LAN net to connect to this firewall tcp port 22, 80, 443.
Then I add some rule without choose interface(my purpose is to use them on all interface) to block the access of this firewall ipv4 and ipv6, tcp/udp port 22, 80, 443. As in the attachment, the first four rules choose LAN interface and LAN net, the others did not choose interface and apply to any ip.(it seems will not show the interface in this web page, it is not a problem anyway, I can still see the interface I choosed when I edit the rule.) And things seems works great for now but then I have the question of the interface it apply to.
Thanks to your answer I think I have no problem about it now.

dont think so
you can always check the code (its opensource, right?  )

https://github.com/opnsense/core/blob/7c251db7207f6499dc094375e6a1b06f6f12346c/src/opnsense/mvc/app/library/OPNsense/Firewall/Rule.php#L315
"rule constructor" will just add "" instead of "on {something}" if there is no interfaces selected

Thank for tell me where can I see the sourcecode. I did not quite know the php program language actually. I think maybe I can have a chance to learn it in the future.
Thank you for your reply. You help me a lot!

[chemlud]

...
The purpose I use these rules is to only allow access to web gui and ssh of the firewall on the LAN interface.
...

Make the GUI listen only on LAN, allow acces to SSH and HTTPS (might be an alias like "Service_ports_allowed") at LANaddress only for the client(s) you want to have access. To be on the very safe side block access to HTTPS on other interfaces to the opnsense. Much safer than an allow rule for one interface on floating, imo...

[hsu]

To chemlud:
Thanks for your suggestion.
The reason I let the entire LAN net ip to access on the LAN interface is because I will only plugin the rj45 ethernet cable to that one NIC on firewall with only one PC during the time I need to Configure the opnsense(PC NIC to Firewall NIC). I do enable the dhcp on the LAN interface so if I change different computer I can connect to it quickly. Maybe this give other risk? I'm not sure actually.
Alias of ports seems a good idea. Maybe I can try it later.
Only listen only on LAN is sounds great maybe I can apply it for now. I just afraid that I will need to use it on the other interface in the future.

I will block the connection in the other interfaces, but the reason I want to use the floating apply to all interface to block it is because according to the document the floating rule will apply first, so I think if I make some unexpect wrong setting on each interface, it will always block by the floating rule first. But if I use that way, I will need a rule before it to allow access of LAN.

[chemlud]

Enable DHCP, reserve an IP based on MAC (and enable static ARP) and allow access to GUI/ssh only for this IP (and a backup machine with another MAC. Or use a USB-RJ45 as a key to your router, that can be used on different machines). An additional layer of security.

[hsu]

To chemlud:

Enable DHCP, reserve an IP based on MAC (and enable static ARP) and allow access to GUI/ssh only for this IP (and a backup machine with another MAC. Or use a USB-RJ45 as a key to your router, that can be used on different machines). An additional layer of security.

Thank you for telling me a way to hardened the security. I think maybe I can try to use it in someday. The reason I think I will not need it for now is because the machine is in a safe place. And the rules will mainly use to block the client from the other interfaces (NIC of WAN,OPT1... and VPN). But as I read in the Openvpn website "one should never place so much trust in a single security component" a addition security seem always be good, so maybe I can try to use it if in needed.