Let's talk firewall rule order ...

Started by Patrick M. Hausen, January 29, 2026, 10:05:39 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
Today at 10:55:18 AM #15
Quote from: meyergru on Today at 09:57:48 AMOne must remember to only use allow in the group rules.

Well not necessary, I use a Block based policy as a Group. Basically I have a group with seq 0 that is above all other rules. This group is applied to all interfaces even WAN. It block stuff like:

- Qfeeds
- Malicous traffic (open source drop list)
- External DNS
- DoH & DoT DNS server (Hagezi list)
- NFS & SMB traffic
- etc.

Because this group applies as well for DDI (where the DNS server lives) one rule in this group has a source !DDI net statement to allow DDI VLAN bypass this one rule in the group and allow them to go to upstream DNS server. AS only this VLAN is allowed to do so.


Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Today at 10:56:55 AM #16
Now that I learned how I can apply an explicit order to group rules that makes sense :-)
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 11:27:11 AM #17
The sequence inside each priority group will be processed in exactly that order.

You can see it as the volatile "sort_order" field in each rule. Thats the calculated spot in the ruleset.

So if you use the sequence inside a priority group, you have indeed full control over when rules are processed in that priority group.
Hardware:
DEC740
Today at 11:39:04 AM #18
Quote from: Patrick M. Hausen on Today at 10:56:55 AMNow that I learned how I can apply an explicit order to group rules that makes sense :-)

Quote from: Monviech (Cedrik) on Today at 11:27:11 AMSo if you use the sequence inside a priority group, you have indeed full control over when rules are processed in that priority group.

I call them my little magical numbers.

But Patrick is right, this is not mentioned in the docs, even though the "sequence" gives a hint. Maybe would be great if it can be explicitly stated on the Group docs pages for us who read the docs :)

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Today at 11:39:31 AM #19 Last Edit: Today at 12:43:08 PM by meyergru
Yes, I can shift order within multiple groups.

But what happens with rules that once where in the floating rules that apply to only one interface during migration?

AFAIU, they will become an interface rules by virtue of them having only one interface. So, say I have an "Allow all but RFC1918" rule in a restricted group rule. If a floating block rule for, say, QFeeds was in the old rules only for one LAN interface to keep clients to connect to malware sites, it would get demoted to an interface rule and overridden by the group rule allowing essentially all internet traffic.

With the group rules residing "between" floating and interface rules, the "only one interface switch" effectively causes an implicit shift of two priority levels, or am I incorrect?

That would mean I have to place block rules somewhere else (at least if they apply to one interface only). I know that does not affect you, Patrick, since you block only on WAN inbound.


P.S.: I just tested that and found that floating rules that apply to one group only get shifted to the group section...
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 11:42:29 AM #20 Last Edit: Today at 12:00:57 PM by OPNenthu
I learned about this from https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#interface-groups and is the model I currently use, just slightly customized.

I had the impression that this was well-known in the community because this guide is based on a pfSense guide which is kind of internet legend at this point as the starting point for a lot of home labbers.

Note: this guide was written before Dnsmasq became the replacement to ISC in OPNsense, so doesn't directly translate today without some modifications.

Note 2: I forgot that it doesn't explicitly discuss group sequence.  I guess I had figured it out in implementation with trial/error.
Today at 12:00:05 PM #21 Last Edit: Today at 12:07:14 PM by Seimus
Quote from: meyergru on Today at 11:39:31 AMWith the group rules residing "between" floating and interface rules, the "only one interface switch" effectively causes an implicit shift of two priority levels, or am I incorrect?

That would mean I have to place block rules somewhere else (at least if they apply to one interface only).

You are correct,

If your rule design was based on 1-interface based Floating, depending on how the rules is setup it will have an unwanted outcome during migration because as you said it will be demoted to Interface level rule.

You most likely need a redesign of the rule-set if you were dependent on 1-interface based Floating rules.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Today at 12:11:00 PM #22
I've already written a section about the sort order but forgot to add it.

https://github.com/opnsense/docs/pull/843

This should clear things up I hope.
Hardware:
DEC740
Today at 12:18:06 PM #23
Happens, but I will be honest it was bit weird why its nowhere properly stated :D

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages 1 2
User actions