am I too dense to figure out how firewall rules are supposed to work

[proutfoo]

I am trying to block traffic for some port forwards I have created. I have a port forward I generally want to be accessible from the Internet, however I have some abusers that I want to block.

I read that NAT and port forwarding is done first. Noted.

The port forwarding works. If I create an inbound floating rule or an inbound rule on the WAN that blocks the abusers, they still can access the port forward. 

The only "solution" I have come up with is to instead of doing a port forward for "*" any , I am using an inverted match on the source address, and doing a port forward for an inverse match on a Alias I created that has the list of hostnames I want to block.


This seems an overly complex way to do a port forward for all but 3 or 4 IP addresses.

I would have assumed in my overly simplistic world that you could create a inbound rule that blocks these abusers before the NAT permit rule, however since port forwarding and NAT is done before everything else from my understanding of the docs, is what I described the only way to have exceptions to a port forwarding?

Thanks for making me less clueless on this matter.

[yourfriendarmando]

I remember going through this exercise learning how NAT is implemented and secured for Opnsense.

Example: My NVR

For good clean abstraction, let's make some Aliases (Firewall > Aliases):
Host Alias: nvr_host (Populate with IP address or full name like nvr.mynet.lan)
Port Alias: nvr_ports_internal : Port numbers or range
Port Alias: nvr_ports_external : Port numbers or range
(The internal and external ports could be one identical port alias, I recommend you move the ports to a high random number.(Highest: 65535))

Now Create the NAT rule (Firewall > NAT > Port Forward):

Interface: WAN, or WAN interface group
TCP: IPv4
Protocol: TCP/UDP
Source: Any Host, Any:Any Port Range
Destination: Any
Destination port range: nvr_ports_external
Redirect Target IP: nvr_host
Redirect Target Port: nvr_ports_internal
Description: Give it a nice name
Nat Reflection: Disable
Filter rule association: None (We will create the security firewall rule on our own below)

Create some more aliases:
incoming_allow_asn (BGP ASN)
incoming_allow_hosts (Host(s))
incoming_allow_nets (Network(s))
incoming_allow_Agroup (Network Group)
  Add the above asn, hosts, and nets alias to this group
  These will be used to load a rule with things to explicitly allow access to the service
  Alternatively (if you're lazier, create an incoming_allow_countries , and allow just your country worth of IP in)

incoming_block_asn (BGP ASN)
incoming_block_hosts (Host(s))
incoming_block_nets (Network(s))
incoming_block_Agroup (Network Group)
  Add the above asn, hosts, and nets alias to this group
  These will be used to load a rule with things to explicitly block

Secure the NAT rule in the firewall (Firewall > Rules > Floating or WAN):
Create a simple block rule, which should be above the allow rule to hit first on match
Action: Block
Interface: WAN or Leave un-selected for any interface if Floating Rule
TCP: ipv4
Proto: Any
Source: incoming_block_Agroup
Adv Source Port range: Any:Any
Destination: Any
Description: Block abusers, or something

Create the allow rule, make sure it is under the Block rule
Action: Pass
Interface: WAN or Leave un-selected for any interface if Floating Rule
TCP: ipv4
Proto: TCP UDP TCP/UDP ...
Source: incoming_allow_Agroup
Destination: nvr_host
Destination Port Range: nvr_ports_external (or nvr_ports if identical to internal)

Optional: You can set priority if it is a high priority service, or something to slow down if busy firewall

That should be it, hopefully this can serve as a template, it's very specific, but covers plenty, and we don't create open services that often once set well the first time.

[proutfoo]

Hm ok so the trick is to not have a firewall rule attached to that NAT configuration. Ill try that thanks

[yourfriendarmando]

You did give me the idea to create aliases and a block rule that works like a FAIL2BAN list. I have now rolled in this sort of feature into my template images for my clients.

incoming_block_asn (BGP ASN)
incoming_block_hosts (Host(s))
incoming_block_nets (Network(s))
incoming_block_Agroup (Network Group)

And a WAN or Floating rule using the Group above your listening NAT services.

I was curious about what the API could do, and like this feature giving you the ability to load the Hosts aliases with IPs you want to deny access, to cut into an allow in rule that is slightly permissive.

Add host IPs to block:
curl -X POST -d '{"address":"ww.xx.yy.zz"}' -H "Content-Type: application/json" -k -u "yourOwnApiKey:YourOwnApiSecret" "https://<fwIP:<fwPort>/api/firewall/alias_util/add/incoming_block_hosts"

Hit [Apply] on Aliases:
curl -X POST -d '{}' -H "Content-Type: application/json" -k -u "yourOwnApiKey:YourOwnApiSecret" "https://<fwIP:<fwPort>/api/firewall/alias/reconfigure"

You might have to sever an active connection from someone you just blocked:
Reset FW states:
curl -X POST -d '{}' -H "Content-Type: application/json" -k -u "yourOwnApiKey:YourOwnApiSecret" "https://<fwIP:<fwPort>/api/diagnostics/firewall/flushSources"
curl -X POST -d '{}' -H "Content-Type: application/json" -k -u "yourOwnApiKey:YourOwnApiSecret" "https://<fwIP:<fwPort>/api/diagnostics/firewall/flushStates"