Port forwarding and linked rule for DNS redirect. Why linked rule

Started by ricksense, August 14, 2023, 06:07:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 14, 2023, 06:07:43 PM Last Edit: August 14, 2023, 06:20:00 PM by ricksense
Hi everyone,

I set two networks (LAN and GUEST) on OPNsense 23.1.11, each on its own interface/subnet (no vlans). I also set redirect DNS rules for both in NAT-> Port Forward:




They seem to be working but, since I am still new to OPNsense, there is something I haven't understood.

1) First of all, why was the Guest one  set as a "linked rule", and the LAN one not?

2) in fact, in FIREWALL->RULES->GUEST was automatically created a rule, while in RULES->LAN not?  Strange WHY



As I said, they both work. Here is the log for the GUEST subnet dns redirect:



Could anyone please help figure it out?

Thanks




August 15, 2023, 03:08:33 PM #1
What does the Filter Rule Association field say for each of your Port Forwards?
August 15, 2023, 07:17:50 PM #2
Quote from: CJ on August 15, 2023, 03:08:33 PM
What does the Filter Rule Association field say for each of your Port Forwards?

Oh that field:



I set it to None now, and the filter rule in the GUEST rule has disappeared.
Anyway is more about understanding what is for and the pros and cons of it.

Thanks
August 15, 2023, 08:23:25 PM #3
Normally you would set it to "pass", because you want that port forward do be allowed. Choosing a dedicated firewall rule instead of "pass" lets you set more granular policies if you intend to do so.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 15, 2023, 08:39:13 PM #4
Quote from: Patrick M. Hausen on August 15, 2023, 08:23:25 PM
Normally you would set it to "pass", because you want that port forward do be allowed. Choosing a dedicated firewall rule instead of "pass" lets you set more granular policies if you intend to do so.

That is the point.
Why should I set port forwarding to allow access to my webserver running on my LAN and set the firewall LAN rule (related to it) other than PASS at the same time?
What would be a meaningful example of a granular policy?
Thank you
August 15, 2023, 08:58:52 PM #5
Only allowing the access at certain times?
Only allowing for certain source IP addresses (ok, that can be done in the NAT port forwarding rule, already)

Any combination of any idea like these you can come up with.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 16, 2023, 06:40:56 AM #6
The more I practice with OPNsense, the more it will make sense, I guess.
I mean, I will probably run into situations where this feature might come in handy.
Thanks
Print
Go Up Pages1
User actions