Clearing Automatically Generated Rules

[OzTechGeek]

Hi All,

How do I go about clearing the "Automatically Generated Rules" under "Floating", the reason I ask is I followed the instructions here https://www.thomas-krenn.com/en/wiki/OPNsense_disable_IPv6 on how to disable IPv6 (not completely as I would like) and when I look at "Firewall: Rules: Floating" I still see the following:

Code: [Select]

Protocol Source Port Destination Port Gateway Schedule Description
IPv6 IPV6-ICMP * * * * * * IPv6 requirements (ICMP)
IPv6 IPV6-ICMP (self) * fe80::/10,ff02::/16 * * * IPv6 requirements (ICMP)
IPv6 IPV6-ICMP fe80::/10 * fe80::/10,ff02::/16 * * * IPv6 requirements (ICMP)
IPv6 IPV6-ICMP ff02::/16 * fe80::/10 * * * IPv6 requirements (ICMP)

I also added an extra "Floating Rule", since "Firewall: Settings: Advanced" and unchecking "Allow IPv6" only created a "Floating" rule for IN

Code: [Select]

Direction = ANY
Protocol Source Port Destination Port Gateway Schedule Description
IPv6 * * * * * * * Block All IPv6

Also noticed this rule appearing twice:

Code: [Select]

Protocol Source Port Destination Port Gateway Schedule Description
IPv4+6 TCP/UDP * * * * * * block all targetting port 0
IPv4+6 TCP/UDP * * * * * * block all targetting port 0

I have rebooted and they still show up, any help/suggestions would be appreciated. Thanks

[simgamer13]

I am looking for an answer/input on this as well.

I am evaluating using pfsense and opnsense as my firewall setup transitioning from an edgerouter device.  I am liking the interface of opnsense better than pfsense, but the list of automatically generated rules has me pause going the opnsense route.  pfsense doesn't seem to have these and/or allows you to turn off the few automatic rules it generates.

I would prefer to have complete control over all of my firewall rules.  Yes, I expect this to increase the learning curve.  But, what better way to learn.  Overall, I like the idea of being able to explicitly control everything my firewall setup it doing.

[bobm]

I'm new to opnsense, have the same question, and based on my searches (how I found this thread) it appears that it is not possible to turn off autogenerated rules. 

[packet loss]

You can't modify or delete autogenerated rules using the webui. Although, you can modify the following file which creates many, if not all, of the autogenerated rules:

/usr/local/etc/inc/filter.lib.inc

this file also plays a role:

/usr/local/etc/inc/filter.inc

I found that I could change all the autogenerated rules for my OPNsense setup with just modifiying the filter.lib.inc file.

I'm currently using OPNsense 20.7.3 and this screenshot is what my autogenerated floating rules look like after modifying filter.lib.inc.

[mikeace]

Man I've been pulling my hair out for 2 days trying to figure out where those rules were getting generated from. I was doing testing and this issue also persists on pfsense. This ruleset was preventing me from running an ipv4 bridge on one pair of interfaces and ipv6 prefix delegation on a separate pair. the default ipv6 prefix kept leaking through the bridged pair no matter what ipv6 deny rules I set on that bridgeed set. The one issue I see is that any update will undo these changes. Do you think its worthwhile to submit a feature request?

[jgray]

Thank you for posting this.
For me I want full control of my firewall rule. The idea of firewall auto rule with no ability to modify them is very bad for firewall. If you want to give auto rule allow user to chose what rule to run auto and allow user to modify the auto rule. I just remove all the auto rule and make back up the file when I update I just repeat the process.

[franco]

> For me I want full control of my firewall rule.

You know this statement has two fundamental flaws?

1. You don't need a GUI for that.
2. You will likely create too broad exceptions for internal services like DNS or DHCP or IPv6, or not get it to work at all without knowing all of these by heart.


Cheers,
Franco

[e1e0n]

I know it's old. May I disagree? If I need something like blocking inter-lan traffic I should not have to learn all the tricks. It would be nice to have ability to insert user rules before auto-generated. At this moment it's either completely disable autogenerated rules or start learning _all_ internals (which I don't want to spend time on because it's one time simple config which I am not allowed to do because of the auto generated rules).
All I need is to block traffic LAN/WAN <-> LAN2/WAN2 and  it seems to be really difficult to do even though just adding my own rule before any autogenerated rule would solve this.

> For me I want full control of my firewall rule.

You know this statement has two fundamental flaws?

1. You don't need a GUI for that.
2. You will likely create too broad exceptions for internal services like DNS or DHCP or IPv6, or not get it to work at all without knowing all of these by heart.


Cheers,
Franco

[Patrick M. Hausen]

It's dead easy to block inter LAN traffic even with automatic rules in place. What exactly is your problem?

[e1e0n]

My problem is that on LAN2 which suppose to route to WAN2 actually routes through WAN I tried blocking rule on LAN2 and LAN not to do cross traffic and it seems that it does not work.

PS I tried to get help on forum earlier but the only advice I got was disabling auto generated rules (and I don't know how to do that without hard resetting router).

Here are my settings for LAN/WAN and client from LAN2 gets external ip from WAN
My fw understanding is basic, probably I am doing something wrong?

[Patrick M. Hausen]

You do not need any rules on WAN.

LAN2 - 1st rule:

Source: LAN2 net
Destination LAN net
Direction: in
Action: deny

LAN2 - 2nd rule:

Source: LAN2 net
Destination: any
Direction: in
Action: allow
Gateway: WAN2 GW

LAN - 1st rule:

Source: LAN net
Destination LAN2 net
Direction: in
Action: deny

LAN - 2nd rule:

Source: LAN net
Destination: any
Direction: in
Action: allow
Gateway: WAN GW

"Out" rules are practically never used due to the stateful nature of the firewall. But this is how all firewalls have worked for ages, actually. When a client on LAN tries to reach "something" on the Internet, the initial packet is coming in the LAN interface. So "in" rule.

HTH,
Patrick

[e1e0n]

Oh, thanks, I will try that.

Thanks! It works!

[e1e0n]

I think there is an issue with these settings, DNS is no working. I did enable LAN to this Firewall for LAN and it seems to fix problem with DNS, not sure if this is correct.

You do not need any rules on WAN.

LAN2 - 1st rule:

Source: LAN2 net
Destination LAN net
Direction: in
Action: deny

LAN2 - 2nd rule:

Source: LAN2 net
Destination: any
Direction: in
Action: allow
Gateway: WAN2 GW

LAN - 1st rule:

Source: LAN net
Destination LAN2 net
Direction: in
Action: deny

LAN - 2nd rule:

Source: LAN net
Destination: any
Direction: in
Action: allow
Gateway: WAN GW

"Out" rules are practically never used due to the stateful nature of the firewall. But this is how all firewalls have worked for ages, actually. When a client on LAN tries to reach "something" on the Internet, the initial packet is coming in the LAN interface. So "in" rule.

HTH,
Patrick

[Patrick M. Hausen]

The second LAN rule "to any" should cover that. Systems on LAN should use the firewall's address on LAN as their DNS server, systems on LAN2 should use the firewall's address on LAN2 as their DNS server. DNS requests should not cross networks if the firewall is to provide recursive DNS service.