Automatic System Generated Rules and Anti Lock Out Option

Started by triotech, January 13, 2025, 05:56:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 13, 2025, 05:56:21 PM
Hi All,

I am new to OPN, coming from other FW.

One of the things I am trying to understand is the following:

A) I have installed OPN, 4 interfaces, nothing fancy, WAN, LAN, LAN1, WIFI, so far all ok, I have not changed any default option, yet.
B) Under Firewall -> Rules for each interface I find almost 15 rules created automatically by the system.

C) I have the need to add or change some rules on each interface, but this is what I find:

C1) The automatically generated rules cannot be edited
C2) If add a rule it cannot be moved UP, I mean before the system ones

D) As much as I have search on the documentation and the forum I can't find an explanation on how this should work

E) I read about the OPTION  Anti Lock Out. But is this the option that "tell" the system to genarate the automatic rules ?

F) If I disable the AntiLock Out option do I loose the automatically generated rules ? Do they get removed ? Would I be locked out of the system ?

G) How  do I edit the auto generated system rules and change the order of my rules in respect to the system ones ?

Thank you for your help,
Giovanni
January 13, 2025, 11:37:13 PM #1
The automatic rules that have a looking glass at the end are driven by a setting. The looking glass brings you to the setting.

I have not played with the anti-lockout setting myself but it's my understanding that it adds a port no redirect rule and a FW rule on either LAN, or opt1 (or WAN if no other interface exists). AFAIK, if you mess up with this one, the only recourse is via console option 13. This only concerns ports 22, 80 and 443 (likely adjusted if you change the GUI ports). You can roll your own version, at your own risks.

These automatic rules wouldn't be very useful if they were invalidated by rule ordering...
They are designed to maintain basic functionality.
Note that a few of them are last match (grey bolt).

Which ones are getting in your way?

January 13, 2025, 11:44:35 PM #2
I do not understand what the anti-lockout rule is good for, because it generates not a firewall rule but some obscure NAT setting. If you have a sufficiently broad "allow" rule on LAN you will always be able to access SSH and the UI. If you mess up you mess up.

I have it disabled on all of my firewalls.

The "unchangeable" automatic rules are essential for network operation at a fundamental level and I appreciate that they are even shown which many other enterprise firewall products, even my beloved Sidewinder, just don't. But there's really nothing to change there.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 13, 2025, 11:52:19 PM #3
Wrt anti-lockout, there's also a firewall rule on the LAN or opt1 or WAN interface (whichever exists first):
Pass, in, 1st match, IPv4+6 TCP, *, *, (self), 22 80 443, *, *, anti-lockout and looking glass pointing to the setting.
January 14, 2025, 12:01:19 AM #4
Thanks, I missed that. Still all pretty opaque :) I do not like "magic". I like explicit configuration.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 14, 2025, 01:01:37 AM #5
If anything is magic here, it's really the choice of the interface. The rules themselves are pretty simple.
I look at this as a shortcut to rules I'd need anyway, in one form or another...
I don't have as much experience as you do. Guardrails are fine with me.

I'm not happy about the interface that ends up being used (after I deleted LAN as part of work you inspired to get rid of untagged traffic) but I either live with it or take the risk of shooting myself in the foot later.
I didn't understand why OPN picked that interface until I found this: https://forum.opnsense.org/index.php?topic=22640.0. It might ring a bell 😉
January 14, 2025, 04:50:40 AM #6
Quote from: Patrick M. Hausen on January 13, 2025, 11:44:35 PM[...]
The "unchangeable" automatic rules are essential for network operation at a fundamental level and I appreciate that they are even shown which many other enterprise firewall products, even my beloved Sidewinder, just don't. But there's really nothing to change there.

I don't like this one hanging out at the top:
"IPv6 IPV6-ICMP   *   *   *   *   *   *   *"
I would always have the capability to cover that (or any other Source = * rule) with a block rule. The way it is now, it appears as though someone could always irritate you (assuming you have IPv6 connectivity) by sending unsolicited unreachables that penetrate your firewall.
Print
Go Up Pages1
User actions