[solved] combine aliases for access control on forwarded port?

Started by BISI Sysadmin, September 14, 2021, 01:17:13 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 14, 2021, 01:17:13 AM Last Edit: April 24, 2022, 08:53:28 PM by BISI Sysadmin
I have a (well one of many) opnsense community edition with a particular new need.
version info
QuoteOPNsense 21.7.2_1-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021

We have port 443 forwarded and access controlled using GeoIP.  It greatly reduced the log noise, and the slow-moving brute force attacks that every so often triggered the mail server's auto-lockout defences.  We do need to allow this access to a wide range of local IP addresses ( various ISPs, plus people do travel, and want to check their work mail while away).  This has been an acceptable compromise 'til now.

The client has now signed up for a CRM service that requires 3 addresses from the Amazon cloud to also have access to port 443.  The vendor has not been particularly impressive in their grasp of technical detail, and proposing access via a custom port (limited only to them) was met with consternation and clear lack of knowledge if it was even possible.

Is there a way to set up an alias that allows both the GeoIP and the CRM addresses?

I have been unable to figure this out from the documentation, and from just playing with my Dev firewall.

Some other method would be acceptable.  The mail server is zimbra OSE, and implementing 2FA is in the works, but until then I'm hoping for an extra layer from the firewall.

Thanks in advance!
d.
September 14, 2021, 08:30:48 AM #1
QuoteIs there a way to set up an alias that allows both the GeoIP and the CRM addresses?
"Network group" alias type?
September 14, 2021, 08:41:11 AM #2
Or just create two firewall rules, one for each separate alias.
2x 25.1.9 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
April 24, 2022, 08:52:48 PM #3
Quote from: sorano on September 14, 2021, 08:41:11 AM
Or just create two firewall rules, one for each separate alias.

This is essentially what I did.  The vendor eventually gave us a list of 130 possible IP addresses (all apparently owned by Amazon).  I made an accept rule for these IP addresses for the necessary ports and placed those first.

Then I placed the blocked "invert-source" GeoIP rule (block if not from the chosen GeoIP areas). Then the rest of the firewall rules.

So, thanks!
d.
Print
Go Up Pages1
User actions