About the usage of "Direction: Any" on the firewall floating rules

[jorglodita]

Hi! I need some kind of updated (January 2024) confirmation on this question, as I read contradictory responses in some forums and websites.

I already know the basics, OPNsense blocks all WAN connections by default and floating rules apply to all interfaces (so be careful with them).
As OPNsense blocks all connections by default lets think I will be opening some ports to host some service (disclaimer, this is very dangerous, just using this as an example)

Lets say I have a nice blocking list: "the_most_dangerous_ips", already created an alias.

As OPNsense block WAN connections by default I will create a floating rule: "block", direction "out", source "any", destination "the_most_dangerous_ips".

That works perfectly on all my VLAN, already tried : just have to ping any of those "dangerous ips" before and after the rule.

Now the question, that I have made in different forums on the past and always have different answers. Imagine I start opening ports to host a lot of services from my house (again disclaimer: this is totally dangerous, I put this example for learning purposes).

Remember I already have a good block list with all the nasty ip around, and a floating rule.

Scenario A: I can modify the outbound rule I already had to "block", direction "ANY", source "any", destination "the_most_dangerous_ips". In this scenario I changed the direction to "ANY", so I cant connect to those ip nor "be connected" from those ip.

Scenario B: The "Direction: Any" does NOT work in floating rules, I need to create another rule, this time with "direction: in", to be protected again inbound connection from those IP. If this is the real scenario I know probably its better just to put a WAN rule, not floating.

Hope someone can throw some light in this question, its easy to check if the outbound part works (and it works with "direction: any", but cant test the inbound part.

Thanks a lot in advance!