[SOLVED] I need a clarification about rules applied to interfaces

[luk4s]

Hi,

I need a clarification about rules applied to interfaces. On my OPNSENSE box i have a many vlan networks.
Let's say there are VLAN10 (10.0.10.0/24) - internal desktops, VLAN20 (10.0.20.0/24) - printers and VLAN30 (10.0.30.0/24) - internal servers. I would like the internal servers to be accessed only from VLAN10. Where should I put rules to protect access to servers, on VLAN10 or VLAN30 interface?
e.g.
on interface VLAN10:

Code: [Select]

1)
action: pass
proto: IPv4
source: *
destination: SRV01 (10.0.30.2)
port: 80
2)
action: pass
proto: IPv4
source: *
destination: SRV02 (10.0.30.3)
port: 22

etc.

OR

on interface VLAN30:

Code: [Select]

1)
action: pass
proto: IPv4
source: VLAN10 net (10.0.10.0/24)
destination: SRV01 (10.0.30.2)
port: 80
2)
action: pass
proto: IPv4
source: VLAN10 net (10.0.10.0/24)
destination: SRV02 (10.0.30.3)
port: 22


[cookiemonster]

My understanding of OPN is that default action is to filter on incoming direction, the preferred way is on VLAN30.
I'm new so I suggest a second opinion or confirmation.

[Patrick M. Hausen]

You probably don't need explicit rules to "protect" the servers. OPNSense is "deny all by default" like any reasonable firewall. So you put an inbound rule permitting access to the servers on VLAN 10 and that's all that is necessary.

[luk4s]

Yes, I understand, that "default" behavor is deny all. I just need clarification, where to put rules to allow access.
cookiemonster said on VLAN30, you on VLAN10, that's my point. Which method is the correct one?

[Patrick M. Hausen]

Hosts on VLAN 10 shall be permitted to access hosts on VLAN 30? Rules on VLAN 10. Inbound rules whenever possible. Firewall 101 ...

The state tracking of OPNsense will take care of the rest.

[cookiemonster]

Exactly how I interpret and mean it pmhausen, what you explained so well.
However to achieve it, is it not an allow inbound on VLAN30 ?

[Patrick M. Hausen]

No, it's an allow inbound on VLAN 10. The systems in VLAN 10 initiate connections to the servers in VLAN 30. Once established, packets can flow in both directions, because OPNsense is a stateful firewall.

[jp0469]

Exactly how I interpret and mean it pmhausen, what you explained so well.
However to achieve it, is it not an allow inbound on VLAN30 ?

This trips everybody up including me until it was explained this way: Direction is relative to the firewall so inbound means "toward the firewall". Therefore, the traffic you are describing is actually coming from VLAN10 and going toward the firewall (inbound) and then goes away from the firewall (outbound) toward VLAN30. Once it was explained to me that way, it really stuck. Hope it helps you also.

[Greelan]

This trips everybody up

Well, not everyone …

[jp0469]

This trips everybody up

Well, not everyone …

Well, several people then? 

My father told me a million times not to exaggerate.

[luk4s]

Thanks to everyone for the explanation. 

[franco]

I do like the FreeBSD Bugzilla triage scope:

1. affects everyone
2. affects some people
3. affects only me

To my surprise even I find myself at priority 3 for a number of things that need urgent attendance from my point of view.


Cheers,
Franco

[cookiemonster]

Exactly how I interpret and mean it pmhausen, what you explained so well.
However to achieve it, is it not an allow inbound on VLAN30 ?

This trips everybody up including me until it was explained this way: Direction is relative to the firewall so inbound means "toward the firewall". Therefore, the traffic you are describing is actually coming from VLAN10 and going toward the firewall (inbound) and then goes away from the firewall (outbound) toward VLAN30. Once it was explained to me that way, it really stuck. Hope it helps you also.

No, it's an allow inbound on VLAN 10. The systems in VLAN 10 initiate connections to the servers in VLAN 30. Once established, packets can flow in both directions, because OPNsense is a stateful firewall.

Thank you both, I am much clearer.