stateful rules equivalent to conntrack in iptables

[kr1p]

Hi,
I have a simple setup:
(10.0.0.1)Internet box -- (10.0.02) firewall_WAN -- firewall_LAN (192.168.1.1) -- my pc (192.168.1.2)
I would like to set a firewall rule authorizing all packets out and blocking all packets in except for related/established packets (stateful rule).
I dont find the rules i need to add to obtain this.

Could you help me with this?

Thank you.

[pmhausen]

This is the default. All rules are stateful in OPNsense unless explicitly configured differently.

[kr1p]

Ok, but i have put a rule to allow traffic direction out and block direction in and the block in doesnt let the traffic pass if it came from rule direction out.
Is there a default policy to block traffic or am i supposed to add a rule at the end of the stack with block traffic and put rules before to allow it (in case quick is ticked)?
If i want traffic to pass from my lan to internet and block internet to lan (except for stateful packets that come back), what rule am i supposed to add to the lan interface(allow/block) and what rule to the wan interface (allow/block)?
thanks

[cookiemonster]

Your desired behaviour is the default, you don't need to add anything and you'll be able to see an allow all out on the LAN interface. The WAN interface defaults to block all in unless it is found as a stateful return.
For new interfaces, you need to create them all.

[kr1p]

Ok i see the default as allow all incoming connection on LAN net also...
What is the meaning of 'link#2' 'link#4' etc in system/route/status?

[cookiemonster]

https://docs.freebsd.org/en/books/handbook/advanced-networking/
better than trying to explain in a post.

[kr1p]

thanks, so basically it's an hardware interface. it's a pitty the web gui doesnt show which "link#" each interface is assigned to in interfaces...

[pmhausen]

thanks, so basically it's an hardware interface. it's a pitty the web gui doesnt show which "link#" each interface is assigned to in interfaces...

The "link#" means it's a locally connected route. The numbers are created dynamically and might change on subsequent boots. The hardware interface and the OPNsense assigned name can be found in the "Netif" and "Netif (name)" columns.

HTH,
Patrick

[kr1p]

Ok thanks.
I see all my devices connected to the opnsense firewall have a route with a netif defined as l0 (loopback interface).
Isnt it a threat that connects them all together?

[pmhausen]

I see all my devices connected to the opnsense firewall have a route with a netif defined as l0 (loopback interface).

All the IP addresses of OPNsense interfaces are local to OPNsense. So they are not routed out to the wire but handled internally. There are most probably no routes for external systems that point to lo0.

I guess that is what you are seeing. If not, please provide more detail, e.g. a screenshot.

[kr1p]

hi, here is the attached screenshot