Automatically generated rules - is the reason I stopped migrating to OPNSense

[newjohn]

Hi, I am pfsense user, but i kept having problems so I decided to give opnsense try. I span up an opnsense firewall vm, spent the last few days on learning it and today I come across this "Automatically generated rules". Which stopped me dead on my tracks and not going to switch to opnsense anymore.

However, i still would like to know why? Its mind boggling to why you would force firewall rules on people who want to use your product?

And to the people who will say dont use it, thats not the point. The point is you spend so much effort and time to make opnsense a contender on the firewall market and shot yourself on the foot by forcing your rules on people.

Is there a way to disable this non-sense? Automatically generated rules.

[franco]

To add irony to insult: we've inherited automatic rules from pfSense where you couldn't even even see them. We've fixed that problem in 2019 (19.7) and added reference links to the settings pages where available to be able to disable them one by one. For newer components we've also stopped automatic rules as is the case with IPsec connections and OpenVPN instances.

I understand your concern but it's fundamentally misplaced with your conclusion in mind.


Cheers,
Franco

[newjohn]

Hi Franco, to start with thank you for taking the time to respond. Also, I am not insulting opnsense no. I have been using pfsense for years and always had a heart to migrate to opnsense, but never got round to it. But now i decided to take the plunge, its disappointing to see somethings are forced in opnsense.

Also, I am suprised that is also the case in Pfsense, altough i did not see it in practise. I just dont understand why i can not control what firewall rules added, why do you need those automaticaly genereated ones? this adds to the complexity of having to cater for the automatically added ones when you configure your rules.

As an example:

I was testing inter vlans comms, i added a rule to vlan 200 to allow ping but not to vlan100, so in practise you would expect vlan200 to be able to ping vlan100, but vlan100 should not be able to ping back vlan200. however to my suprise both pcs can ping each other. So i assume the reason ping is working is due to this auto rule?

Therefore, when PING is working you dont know if that firewall rule is kicking in, you could use logs for that i guess but you see the irony in here? anyone who takes on a project like opnsense will have at least some basic IT skills. so making some rules mandotory is confusing and uncessary.

And to the million dollar question: even if they were in pfsense, why did they keep them in opnsense? what is the purpose of this auto generated rules anyways? I am baffled to why they are there forcing the firewall to only work certain way?

Did i understand you correctly that you can disable this rules? even if its one by one? if thats the case great, can you please point me to the link where it shows how to disable these rules?

TIA

[franco]

Ping only works for the initial LAN interface (incoming to firewall) where there is a "pass all" rule. All other interfaces created do not have this shortcuts.

> And to the million dollar question

Because people have relied upon them for years, even a decade and suddenly removing them would have left everyone stranded. Couple with with the fact that pfSense tried to say OPNsense is just a buggy pfSense it would have discouraged even more people in the beginning.

As I said we worked on this topic in the scope that we could. Made improvements and removed some of those automatic rules. But the ping issue you describe is not possible to my knowledge for anything but the default LAN interface. And that's not even an automatic rule -- it's explicit and can be removed from the rules screen just like in the other project.


Cheers,
Franco

[newjohn]

Hi Franco, i feel like i am missing something obvious here.

Is there a way to remove/disable the auto generated rules?

[franco]

Strictly talking about "automatic rules" in the rules listing you can expand "Automatically generated rules" bit to the right and the ones that have a GUI switch will show with a magnifying glass beside it leading to the page where the setting can be turned off. Some automatic rules may not have a GUI option or directly depend on turning off a service like DHCP in order to get rid of them.. but these are really basic rules that ensure functionality.

Talking about your VLAN ping issue I'd suggest you redo your test consciously, because as I said none of the automatic rules will allow ping from interface to interface in the default except if you repurpose the LAN interface where these rules exists: "Default allow LAN [IPv6] to any rule".

It's imperative that you don't mix up these two things going forward. I don't think you will have much beef with either standard behaviour described here.


Cheers,
Franco

[newjohn]

Here is a quick and dirty diag to explain. Any idea on how is this ping from VLAN190 working?

[franco]

It might not be going over the firewall at all. You can do a packet capture on the OPNsense to see if that is true.

I'd still doubt the firewall will even let this through. Try to ping the firewall IP from the VLAN on the right?


Cheers,
Franco

[newjohn]

I can ping the IP Address of opnsense, also if i do trace route to the destination IP it tells me it uses the opnsense as a gateway as .253 is the test opnsense. This is why i was baffled before. I first thought this was due to the auto rules, but from your reaction it seems thats not the case and something else is happening?

New to opnsense trying to figure out how to do capture. If i can get it to work will post it too.

[Monviech (Cedrik)]

Sorry for butting in but maybe this can help:

When you install the OPNsense the first time, it will create two interfaces by default:

- WAN
- LAN

There will two predefined rules in "Firewall: Rules: LAN" after installation which allow:

"IPv4" proto "ANY" from Source "LAN net" to Destination "ANY"
"IPv6" proto "ANY" from Source "LAN net" to Destination "ANY"

If you create any additional interfaces (for example OPT1), there won't be any automatic predefined rules in "Firewall: Rules: OPT1".

- If you ping from a LAN client to an OPT1 client, the packet is received by the LAN interface. The matching rule in "Firewall: Rules: LAN" - "IPv4 proto ANY Source LAN net to Destination ANY" is found, and the ping will be delivered directly to its destination. Due to the statefulness of the firewall, the reply is allowed back from OPT1 to LAN.

- If you ping from an OPT1 client to a LAN client, the packet is received by the OPT1 interface. No matching rule in "Firewall: Rules: OPT1" is found, and the Firewall will drop the packet with a "Default Deny - State Violation".

[newjohn]

Hi Monveich, thank you for chiming in. Hopefully we will get to the bottom of this.

The issue is both of this interfaces are VLANS. VLAN 160 is opt7 and VLAN 190 is opt10. So according to what you said above i should NOT be able to ping in between the VLANS in from both sides, but the results is different.

I also noticed something else. you said only the (original) LAN should have the auto rules, but not any opt interface you create afterwards. i just checked, and all the extra VLANs i created and somehow all have the auto rule already on them. Any idea who that might have happened? and how to disable/delete them if possible?

[Monviech (Cedrik)]

Can you post an output of:
Firewall: Diagnostics: Statistics: rules - filter rules

Maybe that way it's easier to see whats wrong with the opt7 and opt10 interface rules.

Since the output might be pretty long, use the code

Code: [Select]

code


[franco]

> somehow all have the auto rule already on them

Man, I just explained this multiple times. Automatic rules are not the default allow all rule from the default LAN configuration. And automatic rules are not automatic allow all rules. Please do not mix those up.

Can you just do the capture or turn on rule logging to confirm that packets flow through the firewall or not. Since we only have evidence that blocking doesn't work the likeliest outcome is traffic is not going through the firewall.


Cheers,
Franco

[newjohn]

In response to Monviech: Filter rules:
I could not find a way to export it, instead i attached a screeshot for the firewall rules. Does this help?

[newjohn]

In response to Franco:
I think i got it now what you mean they are different. The LAN contains two rules from the get go whereas any new interface you create wont have this two rules, but all the interfaces will have the auto rule.

although i think i got it, i am still not clear on why my ping works, anyone got a clue what is happening?

TIa