Unable to block traffic from DMZ to LAN

Started by bitTwiddler, June 03, 2021, 02:13:30 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 03, 2021, 02:13:30 AM Last Edit: June 03, 2021, 04:19:29 AM by bitTwiddler
I have rules on my DMZ interface as well as my LAN interface blocking traffic from DMZ to LAN but I can still browse to web resources on the LAN network from a web browser on a workstation in the DMZ.  I know I am missing the obvious but I am not currently seeing it.

Attached are my DMZ and LAN rules.

The message in the Live Log for the DMZ -> LAN traffic is:  let out anything from firewall host itself - which is tied to an autogenerated floating rule which I cannot disable.

June 03, 2021, 08:50:10 AM #1
Hi bitTwiddler,

Do I do not see any mistake in your rules.

When installing my OPNsense I did the following steps:

  • run installation of the image via the serial console
  • Assign the interface in the console: LAN and WAN
  • run the wizard of the WebUI
  • add the interface for DMZ

After that devices in the DMZ are not allowed to anything: DNS, internet access, access the LAN. I have to define rules where I allowed the devices in my DMZ what I want. Block by default.

So why did you change this general behavior of your setup?

Kind Regards
Thomas
Don't forget to [applaud] those offering time and brainpower to help you!
June 03, 2021, 12:21:28 PM #2
The third rule on the DMZ interface is an odd one - I'd delete that. And the first rule on the LAN interface won't do anything, so can be deleted too.
June 03, 2021, 06:17:17 PM #3 Last Edit: June 03, 2021, 08:39:57 PM by bitTwiddler
Thank you for the great feedback!  Much appreciated.

Greenlan, that rule was not in my original ruleset but more of a hail mary pass to try to contain DNZ - which didn't work.  I will remove that rule.  I also removed the 1st LAN rule.  Good catch!

Thogru, I pretty much followed the same path you outline with a few exceptions.  I followed your steps 1-3 as part of moving off Smallwall to OPNsense last year.  That worked very well.   I just moved DMZ over from Smallwall and brought over the three simple rules.  The only difference was that I set up a NAT port-forward for PiHole DNS.  So, I didn't change any of the default behavior.  If you are aware of why the floating rule " let out anything from firewall host itself" is firing I'd give my right arm to know.

FYI - I am running OPNsense v21.1.4-amd64
June 03, 2021, 09:21:22 PM #4
I found one typo - a CIDR block suffix of /1 rather than /32 which was allowing everything on LAN.

I am doing regression testing now.
June 03, 2021, 11:05:27 PM #5
After cleaning up the typo my DMZ rules look like this.   Since everything not explicitly passed should be blocked, I should be able to replace the last three rules with "allow to WAN".  However, that does not work for me for some reason.

June 03, 2021, 11:27:57 PM #6
"WAN net" doesn't mean "everything on the internet". It just means the network configured on the WAN interface
June 04, 2021, 12:12:57 AM #7
Understood.  I guess I was thinking that OPNsense knew WAN is the outbound interface to the Internet based upon the fact that it has the default gateway.

I am not a big fan of default allow rules but I don't see a workaround in this case.

Print
Go Up Pages1
User actions