Default firewall rules between VLANs

[jbuenano]

Hi everyone,

I am experiencing some unexpected behaviour with firewall rules between VLANs.

The scenario is the following:

A client attempts to connect to the management switch interface via ssh. The client is connected to VLAN 310 with IP Address 10.20.10.175/24 and the management switch interface is connected to VLAN 300 with IP Address 172.20.0.3. See attached sketch (OPNSense VLAN).

My understanding is that if firewall rules are not defined, then all traffic should be blocked by default, as specified when the interface firewall rule set is empty: "No interfaces rules are currently defined. All incoming connections on this interface will be blocked until you add a pass rule". However, I found that some traffic still makes it through, even if rules are not defined. I can even see the details of the rule that allows it:

> lan_300_mgmt <- Dec 9 07:14:18   10.20.10.175:55763   172.20.0.3:22   tcp   let out anything from firewall host itself

Looking into the information details, I found that the communication is allowed by rulenr 81. which in my configuration is:

@81 pass out log all flags S/SA keep state allow-opts label "let out anything from firewall host itself"

Please note that this configuration was created by default and I don't seem to have control over it.

I could successfully configured a firewall rule to specifically block this connection, but It would be too difficult to block all the traffic that rule @81 is allowing:

x lan_310_inside_clients -> Dec 9 07:09:25   10.20.10.174:55561   172.20.0.3:22   tcp   USER_RULE

I am finding it hard to understand why this is happening.  The question is where or how can I change the configuration to ensure that all traffic is truly blocked by default? e.g. Is it possible to disable the firewall rule @81 to avoid the passing undesirable traffic. I am concerned that some unexpected traffic is allowed even though it hasn't specifically being configured in the firewall rules as it is happening in this example.
 

[miruoy]

As a temporary quick workaround you can define a group containing all your VLANS and define an explicit block for inter vlan traffic.

[jbuenano]

As a temporary quick workaround you can define a group containing all your VLANS and define an explicit block for inter vlan traffic.

Thanks so much for the suggestion. It worked quite well, exactly as expected. I created 2x groups; one for firewall management (note that I already ticked the setting: Disable administration anti-lockout rule but still allows the connections) and another for network devices management. With a block all rule at the bottom of the list - to only the management or firewall subnets respectively, otherwise it will block all traffic from all subnets, then a pass rule to the specific devices which required the connections (source, destination and port).

It makes me wonder if the actual intent is to create groups to control the access as opposed to adding rules to the interfaces themselves.

Looking at the logs, there is still a huge amount of pass connections from rule:

@82 pass out log route-to (em0 'WAN-IP') inet from 'WAN-IP' to ! (em0:network:1) flags S/SA keep state allow-opts label "let out anything from firewall host itself"

It does make me a bit uncomfortable not knowing exactly what it's being allowed. I guess that i need to continue looking to understand how to manage them.

[miruoy]

Good to hear this solved your issue. At least for now.

Afaick there are 3 ways you can form the logic on FW rules in opnSense.

• Define rule on the interface the traffic is coming into
• Create a floating rule that can be applied before or after all other rules. Depending if the quick flag is activated for the rule
• Create rules on groups of interfaces so that you are not forced to duplicating the rules on every single interface

After that you also need to take into account all the Automatically created rules.

Imho the rule that you are describing should NOT let out any traffic other than traffic generated by the UTM itself. If you have solid prove that this is happening, can deliver traces, and have some time to spare for follow up traces and testing I would suggest creating a bug report so the devs can have a look at it.

I would also be wise to run this issue through the IRC users.

[jbuenano]

Thanks again,

I am used to work with ASA and Juniper firewalls but I like the idea of using OPNsense given the flexibility that provides and how easy is to get simple tasks done so well. e.g. DHCP, NTP servers, etc.

I most definitely will spend some time trying to verify the firewall integrity. I already installed an IDS system inside the network to ensure that no threats are passing. So far i can say that it is behaving a lot better than ASA firewalls.

I will keep the forum posted with the findings.