Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
how to block all internet traffic
« previous
next »
Print
Pages: [
1
]
Author
Topic: how to block all internet traffic (Read 1829 times)
RobLatour
Full Member
Posts: 132
Karma: 7
how to block all internet traffic
«
on:
September 13, 2023, 03:56:19 pm »
I have three interfaces: WAN, LAN and LAN_IOT.
What is the best way to block all internet traffic to LAN and LAN_IOT while still allowing traffic between and within LAN and LAN_IOT?
Logged
Patrick M. Hausen
Hero Member
Posts: 6825
Karma: 573
Re: how to block all internet traffic
«
Reply #1 on:
September 13, 2023, 04:33:52 pm »
If you have no allow rule or NAT port forward on WAN this is already the case.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
RobLatour
Full Member
Posts: 132
Karma: 7
Re: how to block all internet traffic
«
Reply #2 on:
September 13, 2023, 07:11:06 pm »
I don't have a no allow rule on the WAN; what does this look like?
Logged
Patrick M. Hausen
Hero Member
Posts: 6825
Karma: 573
Re: how to block all internet traffic
«
Reply #3 on:
September 13, 2023, 07:12:13 pm »
If you have no rule that says "allow" ...
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
RobLatour
Full Member
Posts: 132
Karma: 7
Re: how to block all internet traffic
«
Reply #4 on:
September 13, 2023, 10:05:04 pm »
I'm not sure what you mean. By 'allow' I assume you mean 'pass', and I have only one firewall rule for my WAN interface that provides for a specific pass ...
yet all my LAN and LAN_IOT devices have internet access.
What I am looking for is a rule (or set of rules) that I would enable/disable in order to enable/disable internet access to my devices on the LAN and LAN_IOT interfaces.
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: how to block all internet traffic
«
Reply #5 on:
September 13, 2023, 10:21:54 pm »
you need that one rule in the relevant interface i.e. LAN_IOT. There the rule (if exists):
action: pass
interface: LAN_IOT
direction: in
tcp version: what you use
protocol: any
source: LAN_IOT net
destination: any
gateway: default
This is what says any traffic from this network coming into this networ's interface on the firewall: pass.
This is equivalent to the "allow" all in rule. Here is where you allow or deny the traffic to get out of this network, and on its way to another, like the internet.
When set to enabled, traffic goes out to the internet. When you disable it, it stops.
Logged
Patrick M. Hausen
Hero Member
Posts: 6825
Karma: 573
Re: how to block all internet traffic
«
Reply #6 on:
September 13, 2023, 11:28:02 pm »
You asked to block "Internet to LAN". As I wrote this is the case by default. If you want to block "LAN to Internet" refer to @cookiemonster's post.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
RobLatour
Full Member
Posts: 132
Karma: 7
Re: how to block all internet traffic
«
Reply #7 on:
September 14, 2023, 12:54:37 am »
Thank you that helped.
Also, I watched this video which is also slowly helping me put the pieces together:
https://www.youtube.com/watch?v=dLUffHxnsIQ
I have always had trouble understanding the whole firewall 'in' and 'out' direction thing, even though I know its from the perspective of the firewall.
As an example, from the way I saw it, when Computer A (say on my network) talks to another Computer B (say someplace on the Internet) there is a lot of back and forth. For example (rightly or wrongly) I felt that if Computer A wants to download a file from Computer B, then traffic needs to go from Computer A to Computer B to request the download, and then a lot of traffic travels from Computer B to Computer A as the file downloads (but even in that case as the download proceeds Computer A is likely sending a little traffic to Computer B - in acknowledging packets received).
As such I thought that there would have to be both 'in' and 'out' rules defined in the firewall to allow for the traffic to flow between Computer A and Computer B; the in rule to have traffic come into the firewall and on to Computer A to receive the downloaded file, and the out rule to have traffic go out of Computer A and the firewall request it.
This however (and please correct me if I am wrong) does not seem to need to be the case. You only need to establish 'in' rules, which allow one computer to instigate a communication with another.
So in the case above, I would just need one 'in' rule to allow Computer A to reach computer B and make the request, and then if Computer B starts sending a download file that Computer A requested all is fine.
«
Last Edit: September 14, 2023, 01:17:32 am by RobLatour
»
Logged
passeri
Full Member
Posts: 100
Karma: 4
Re: how to block all internet traffic
«
Reply #8 on:
September 14, 2023, 01:32:31 am »
Hi RobLatour, instead of worrying about the individual traffic flows, think of
sessions
. Based on the normal rules covered by PM Hausen and Cookiemonster, your LAN device can initiate a session which allows a file to be downloaded to it, strictly within the session. The external system cannot initiate such a session (given the WAN Deny which is the default). Therefore you need no rules beyond that default WAN Deny for things to operate as you wish.
To extend it a bit, if you had a server then for particular designated ports a session could be initiated from the internet to the server. Sessions can not occur except as
initiation
(usually IN to the firewall) is permitted, and no additional rules are needed.
Edit: Well, deriving the session concept helped me to understand the INs and OUTs of Block and Allow, anyway.
I have some technical knowledge but am otherwise pretty new to firewalls myself so I know from where you come.
«
Last Edit: September 14, 2023, 01:37:22 am by passeri
»
Logged
RobLatour
Full Member
Posts: 132
Karma: 7
Re: how to block all internet traffic
«
Reply #9 on:
September 14, 2023, 02:28:32 am »
Also very helpful. Thank you.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
how to block all internet traffic