FireHol2 & 3 Black List - Floating Rules?

[gauthig]

Hello, I want to set up firewall rules for FireHol blacklists (combine DSheild, CIArm, Haus...) and revised the OPNSense documentation on the same subject for something like DSheild and alias.  But instead of creating a WAN, LAN and OPT individual rules, would using a floating rule with both directions be simpler and do the same?  Just not sure. 


I do see several (>120 day) posts that were unanswered similar topic, so I thought I would ask in a new thread.

[gauthig]

Ok, answering my own question - The floating rule will work great for multiple internal networks or multiple external networks but not both at the same time. 

For all Internal Interfaces, you can do one floating rule with source any and destination the Alails for the list.
For all external interfaces, one floating rule with source as the alias list and destination any.

But if you only have one external net, just put the rule on the WAN.

By the way, if you want to use firehol, make sure firehol1 is only on the external network (WAN) as RFC1918 networks are included in firehol1. 

[mimugmail]

I usually create two floating rules on top, source any, destination FireHOL and source FireHOL, destination any .. so blocking in and out on top of all

[dave]

Might be a silly question, but why not just use one floating rule across all interfaces with the direction set to any?

[mimugmail]

Source and Destination doesnt flip witj any

[dave]

d'oh
that was obvious

[hushcoden]

Sorry to resurrect an old thread, but I'm trying to understand how to proper set up floating rules.

I have one at the moment, with direction any, but it seems is wrong, right? Should i use direction IN  instead ?

I just followed this: https://www.allthingstech.ch/blocking-malicious-ips-with-opnsense/

I'm clearly confused, do I have to add a second rule ?

Source and Destination doesnt flip witj any

Then what's the meaning of direction 'any' ?

Tia.

[tiermutter]

I'm clearly confused, do I have to add a second rule ?

Sure, one rule with destination = "blocked addresses" is used for internal interfaces and prevents your clients to talk to those addresses.
The second rule is required with source = "blocked adresses" on external interfaces to prevent those addresses to talk to your clients/firewall.

Not sure what "direction = any" causes, I never used other than "in".

[hushcoden]

Sure, one rule with destination = "blocked addresses" is used for internal interfaces and prevents your clients to talk to those addresses.

Here I select my LAN interfaces ?

The second rule is required with source = "blocked adresses" on external interfaces to prevent those addresses to talk to your clients/firewall.

Here I select the WAN interface ?

Not sure what "direction = any" causes, I never used other than "in".

Direction change to 'in'

I've attached a screenshot, are those two rules correct ?

Thanks.

[tiermutter]

Yes, that looks like the rules Im using, Im just using seperated rules for each blocklist to be able to disable e.g. firehol l3 when needed as github was listed there sometimes in the past weeks.