Automatically generated rules - allow any to any?

Started by nerd, March 25, 2024, 04:54:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 25, 2024, 04:54:47 PM Last Edit: March 25, 2024, 05:06:24 PM by nerd
For every VLAN, including WAN, my FW has automatically created the following rule (hidden under "Automatically generated rules" pulldown menu.

Code Select

Protocol Source Port Destination Port Gateway # Schedule Description
IPv4+6*         * * *     * * * *     let out anything from firewall host itself


I would understand if the source would be VLAN_address, but not an allow any to any.
Since it is autogenerated, I can not simply delete or adapt this rule either.

Hopfully I am misinterpreting this rule? If not, where does it come from and how do I get rid of it?
March 25, 2024, 05:34:02 PM #1
What exactly is concerning you about those rules? I believe it's required for NAT functionality. Also, did you happen to notice the rule direction?
March 25, 2024, 05:56:07 PM #2
Quote from: jp0469 on March 25, 2024, 05:34:02 PM
What exactly is concerning you about those rules? I believe it's required for NAT functionality. Also, did you happen to notice the rule direction?

No, I did not notice the direction.
Direction is OUT, whereas 'normal' rules are IN. Much appreciate to point this out.

So basically my FW rules block/allow INcoming traffic and once allowed the FW needs a rule to let this traffic back OUTgoing to the destination VLAN?

Or do I still misunderstand this rule?



March 25, 2024, 06:16:10 PM #3
Quote from: nerd on March 25, 2024, 05:56:07 PM
So basically my FW rules block/allow INcoming traffic and once allowed the FW ...
automatically sets up a state table entry that allows this same flow out wherever it is routed.

Quote from: nerd on March 25, 2024, 05:56:07 PM
... needs a rule to let this traffic back OUTgoing to the destination VLAN?
Nope. The "allow all out" rule is for traffic that did never come in anywhere. Like outbound DNS requests or NTP requests originating on the firewall itself. Download of updates. ICMP echo requests from gateway monitoring. These.

Hence the description: "let out anything from firewall host itself"
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 25, 2024, 07:10:57 PM #4
Quote from: Patrick M. Hausen on March 25, 2024, 06:16:10 PM
Nope. The "allow all out" rule is for traffic that did never come in anywhere. Like outbound DNS requests or NTP requests originating on the firewall itself. Download of updates. ICMP echo requests from gateway monitoring. These.
Hence the description: "let out anything from firewall host itself"

Mmm, then why do I see client<>server DNS traffic hitting this rule/label?

For example my client requesting DNS resolving from the server (not the FW).
In FIREWALL: LOG FILES: LIVE VIEW this shows up twice even though the FW should just pass the traffic:

client_vlan   OUT 2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   let out anything from firewall host itself   
server_vlan  IN   2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   My DNS rule


Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.


March 28, 2024, 10:39:17 AM #5
Quote from: nerd on March 25, 2024, 07:10:57 PM
Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.


Anyone understand this and willing to explain?  Pretty please?
March 28, 2024, 12:47:34 PM #6 Last Edit: March 28, 2024, 12:53:18 PM by Seimus
Quote from: nerd on March 25, 2024, 07:10:57 PM
Quote from: Patrick M. Hausen on March 25, 2024, 06:16:10 PM
Nope. The "allow all out" rule is for traffic that did never come in anywhere. Like outbound DNS requests or NTP requests originating on the firewall itself. Download of updates. ICMP echo requests from gateway monitoring. These.
Hence the description: "let out anything from firewall host itself"

Mmm, then why do I see client<>server DNS traffic hitting this rule/label?

For example my client requesting DNS resolving from the server (not the FW).
In FIREWALL: LOG FILES: LIVE VIEW this shows up twice even though the FW should just pass the traffic:

client_vlan   OUT 2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   let out anything from firewall host itself   
server_vlan  IN   2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   My DNS rule


Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.

What you see here is correct,

You are hitting In rule for you DNS and than you hit the allow all out rule default, as by default OPNsense permits all traffic EGRESS. Explicit deny is only by default in Ingress.

let out anything from firewall host itself
- Rule to pass Egress all traffic

let out anything from firewall host itself (force gw) 
- Rule to pass Egress all traffic originating from FW WAN interface

Check the Rule > floating, you have them at the bottom

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages1
User actions