Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Standard rule "let out anything from firewall host itself"
« previous
next »
Print
Pages: [
1
]
Author
Topic: Standard rule "let out anything from firewall host itself" (Read 7224 times)
wgloes
Newbie
Posts: 5
Karma: 0
Standard rule "let out anything from firewall host itself"
«
on:
December 23, 2020, 10:32:05 pm »
I'm new with OPNsense but not with firewalls in generally.
My scenario is:
- OPNSense FW without NAT as the second FW behind an external FW
- There are some networks connected to the OPNsense FW to be separated
- "Green" interface goes to the external FW
- "Internal Interface like the name said is internal
Contrary to other FW it seems like that the IP packets will be routed over different rules inbound and outbound (see attachment). Is this by design is there a missconfiguration or is it the kind how the log is displayed?
Wolf
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Standard rule "let out anything from firewall host itself"
«
Reply #1 on:
December 23, 2020, 11:59:40 pm »
The inbound packet hits the green interface first and rule processing occurs there. The outbound packet hits the internal interface first and is processed there. This is why you see that. It is important it works this way so you can create appropriate rules. For example perhaps only a single machine on the lan should be allowed to send packets out on port 25. Because of how nat works a nat pinning attack could try coax another machine to reply out on port 25 on your internal lan. An appropriate rule only allowing a single machine to have access to do this would effectively block that.
«
Last Edit: December 24, 2020, 12:01:37 am by allebone
»
Logged
wgloes
Newbie
Posts: 5
Karma: 0
Re: Standard rule "let out anything from firewall host itself"
«
Reply #2 on:
December 24, 2020, 11:23:51 am »
If I understand you correctly, I've to write two rules (one for incoming and one for outgoing packets) to have full control over the packet flow through the firewall? In the case of using the standard rule, I can control the incoming packets only by a dedicated rule because the standard rule is an outgoing rule.
Logged
chemlud
Hero Member
Posts: 2487
Karma: 112
Re: Standard rule "let out anything from firewall host itself"
«
Reply #3 on:
December 24, 2020, 11:32:01 am »
No, search for "stateful firewall". A rule is only needed for the first package in each direction, the reply is allowed by a state. Golden rule: NO rules on WAN needed...
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
wgloes
Newbie
Posts: 5
Karma: 0
Re: Standard rule "let out anything from firewall host itself"
«
Reply #4 on:
December 24, 2020, 12:19:54 pm »
I think there is a slight misunderstanding or misinterpretation on my side. I'm more bothered by the global standard rule, that allows all outgoing traffic not only from the firewall itself but also for all networks and interfaces. And this is the last rule at "Floating". If there is no other blocking or pass rule with dedicated hosts/ports/networks etc. rule before this last rule all outgoing network traffic is allowed if I'm correct.
Logged
allebone
Sr. Member
Posts: 402
Karma: 34
Re: Standard rule "let out anything from firewall host itself"
«
Reply #5 on:
December 24, 2020, 02:51:06 pm »
Best practice it to only allow outbound ports as needed. The default allow all out is only because this is traditionally how firewalls worked and is expected by most people that their outbound traffic be allowed.
Logged
chemlud
Hero Member
Posts: 2487
Karma: 112
Re: Standard rule "let out anything from firewall host itself"
«
Reply #6 on:
December 24, 2020, 03:24:10 pm »
Quote from: wgloes on December 24, 2020, 12:19:54 pm
And this is the last rule at "Floating".
Have a look at "Source" for this floating "let out anything from fw itself".
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
Standard rule "let out anything from firewall host itself"