stateful rules equivalent to conntrack in iptables

Started by kr1p, January 29, 2023, 04:00:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 29, 2023, 04:00:52 PM
Hi,
I have a simple setup:
(10.0.0.1)Internet box -- (10.0.02) firewall_WAN -- firewall_LAN (192.168.1.1) -- my pc (192.168.1.2)
I would like to set a firewall rule authorizing all packets out and blocking all packets in except for related/established packets (stateful rule).
I dont find the rules i need to add to obtain this.

Could you help me with this?

Thank you.
January 29, 2023, 04:04:19 PM #1
This is the default. All rules are stateful in OPNsense unless explicitly configured differently.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 29, 2023, 08:37:44 PM #2
Ok, but i have put a rule to allow traffic direction out and block direction in and the block in doesnt let the traffic pass if it came from rule direction out.
Is there a default policy to block traffic or am i supposed to add a rule at the end of the stack with block traffic and put rules before to allow it (in case quick is ticked)?
If i want traffic to pass from my lan to internet and block internet to lan (except for stateful packets that come back), what rule am i supposed to add to the lan interface(allow/block) and what rule to the wan interface (allow/block)?
thanks
January 29, 2023, 10:17:04 PM #3
Your desired behaviour is the default, you don't need to add anything and you'll be able to see an allow all out on the LAN interface. The WAN interface defaults to block all in unless it is found as a stateful return.
For new interfaces, you need to create them all.
February 01, 2023, 03:57:09 PM #4
Ok i see the default as allow all incoming connection on LAN net also...
What is the meaning of 'link#2' 'link#4' etc in system/route/status?
February 01, 2023, 10:45:26 PM #5
https://docs.freebsd.org/en/books/handbook/advanced-networking/
better than trying to explain in a post.
February 03, 2023, 10:17:36 AM #6
thanks, so basically it's an hardware interface. it's a pitty the web gui doesnt show which "link#" each interface is assigned to in interfaces...
February 03, 2023, 10:23:04 AM #7
Quote from: kr1p on February 03, 2023, 10:17:36 AM
thanks, so basically it's an hardware interface. it's a pitty the web gui doesnt show which "link#" each interface is assigned to in interfaces...
The "link#" means it's a locally connected route. The numbers are created dynamically and might change on subsequent boots. The hardware interface and the OPNsense assigned name can be found in the "Netif" and "Netif (name)" columns.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 03, 2023, 10:38:03 AM #8
Ok thanks.
I see all my devices connected to the opnsense firewall have a route with a netif defined as l0 (loopback interface).
Isnt it a threat that connects them all together?
February 03, 2023, 10:43:25 AM #9
Quote from: kr1p on February 03, 2023, 10:38:03 AM
I see all my devices connected to the opnsense firewall have a route with a netif defined as l0 (loopback interface).
All the IP addresses of OPNsense interfaces are local to OPNsense. So they are not routed out to the wire but handled internally. There are most probably no routes for external systems that point to lo0.

I guess that is what you are seeing. If not, please provide more detail, e.g. a screenshot.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 04, 2023, 11:13:22 PM #10
hi, here is the attached screenshot
Print
Go Up Pages1
User actions