FireHol2 & 3 Black List - Floating Rules?

Started by gauthig, August 25, 2020, 09:38:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 25, 2020, 09:38:55 PM
Hello, I want to set up firewall rules for FireHol blacklists (combine DSheild, CIArm, Haus...) and revised the OPNSense documentation on the same subject for something like DSheild and alias.  But instead of creating a WAN, LAN and OPT individual rules, would using a floating rule with both directions be simpler and do the same?  Just not sure. 


I do see several (>120 day) posts that were unanswered similar topic, so I thought I would ask in a new thread.
August 25, 2020, 09:44:11 PM #1 Last Edit: August 25, 2020, 09:45:45 PM by gauthig
Ok, answering my own question - The floating rule will work great for multiple internal networks or multiple external networks but not both at the same time. 

For all Internal Interfaces, you can do one floating rule with source any and destination the Alails for the list.
For all external interfaces, one floating rule with source as the alias list and destination any.

But if you only have one external net, just put the rule on the WAN.

By the way, if you want to use firehol, make sure firehol1 is only on the external network (WAN) as RFC1918 networks are included in firehol1. 
August 26, 2020, 08:14:04 AM #2
I usually create two floating rules on top, source any, destination FireHOL and source FireHOL, destination any .. so blocking in and out on top of all
August 29, 2020, 03:55:28 AM #3
Might be a silly question, but why not just use one floating rule across all interfaces with the direction set to any?
August 29, 2020, 06:55:49 AM #4
Source and Destination doesnt flip witj any
August 30, 2020, 07:05:08 PM #5
d'oh
that was obvious
November 01, 2021, 01:35:14 PM #6 Last Edit: November 01, 2021, 05:10:09 PM by hushcoden
Sorry to resurrect an old thread, but I'm trying to understand how to proper set up floating rules.

I have one at the moment, with direction any, but it seems is wrong, right? Should i use direction IN  instead ?

I just followed this: https://www.allthingstech.ch/blocking-malicious-ips-with-opnsense/

I'm clearly confused, do I have to add a second rule ?

Quote from: mimugmail on August 29, 2020, 06:55:49 AM
Source and Destination doesnt flip witj any
Then what's the meaning of direction 'any' ?

Tia.
November 02, 2021, 08:59:11 AM #7
QuoteI'm clearly confused, do I have to add a second rule ?
Sure, one rule with destination = "blocked addresses" is used for internal interfaces and prevents your clients to talk to those addresses.
The second rule is required with source = "blocked adresses" on external interfaces to prevent those addresses to talk to your clients/firewall.

Not sure what "direction = any" causes, I never used other than "in".
i am not an expert... just trying to help...
November 02, 2021, 10:52:06 AM #8 Last Edit: November 02, 2021, 10:54:26 AM by hushcoden
Quote from: tiermutter on November 02, 2021, 08:59:11 AM
Sure, one rule with destination = "blocked addresses" is used for internal interfaces and prevents your clients to talk to those addresses.
Here I select my LAN interfaces ?

Quote
The second rule is required with source = "blocked adresses" on external interfaces to prevent those addresses to talk to your clients/firewall.
Here I select the WAN interface ?

Quote
Not sure what "direction = any" causes, I never used other than "in".
Direction change to 'in'

I've attached a screenshot, are those two rules correct ?

Thanks.
November 02, 2021, 01:44:36 PM #9
Yes, that looks like the rules Im using, Im just using seperated rules for each blocklist to be able to disable e.g. firehol l3 when needed as github was listed there sometimes in the past weeks.
i am not an expert... just trying to help...
Print
Go Up Pages1
User actions