Automatically generated rules - allow any to any?

[nerd]

For every VLAN, including WAN, my FW has automatically created the following rule (hidden under "Automatically generated rules" pulldown menu.

Code: [Select]

Protocol Source Port Destination Port Gateway # Schedule Description
IPv4+6*         * * *     * * * *     let out anything from firewall host itself

I would understand if the source would be VLAN_address, but not an allow any to any.
Since it is autogenerated, I can not simply delete or adapt this rule either.

Hopfully I am misinterpreting this rule? If not, where does it come from and how do I get rid of it?

[jp0469]

What exactly is concerning you about those rules? I believe it's required for NAT functionality. Also, did you happen to notice the rule direction?

[nerd]

What exactly is concerning you about those rules? I believe it's required for NAT functionality. Also, did you happen to notice the rule direction?

No, I did not notice the direction.
Direction is OUT, whereas 'normal' rules are IN. Much appreciate to point this out.

So basically my FW rules block/allow INcoming traffic and once allowed the FW needs a rule to let this traffic back OUTgoing to the destination VLAN?

Or do I still misunderstand this rule?

[Patrick M. Hausen]

So basically my FW rules block/allow INcoming traffic and once allowed the FW ...

automatically sets up a state table entry that allows this same flow out wherever it is routed.

... needs a rule to let this traffic back OUTgoing to the destination VLAN?

Nope. The "allow all out" rule is for traffic that did never come in anywhere. Like outbound DNS requests or NTP requests originating on the firewall itself. Download of updates. ICMP echo requests from gateway monitoring. These.

Hence the description: "let out anything from firewall host itself"

[nerd]

Nope. The "allow all out" rule is for traffic that did never come in anywhere. Like outbound DNS requests or NTP requests originating on the firewall itself. Download of updates. ICMP echo requests from gateway monitoring. These.
Hence the description: "let out anything from firewall host itself"

Mmm, then why do I see client<>server DNS traffic hitting this rule/label?

For example my client requesting DNS resolving from the server (not the FW).
In FIREWALL: LOG FILES: LIVE VIEW this shows up twice even though the FW should just pass the traffic:

client_vlan   OUT 2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   let out anything from firewall host itself   
server_vlan  IN   2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   My DNS rule


Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.

[nerd]

Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.

Anyone understand this and willing to explain?  Pretty please?

[Seimus]

Nope. The "allow all out" rule is for traffic that did never come in anywhere. Like outbound DNS requests or NTP requests originating on the firewall itself. Download of updates. ICMP echo requests from gateway monitoring. These.
Hence the description: "let out anything from firewall host itself"

Mmm, then why do I see client<>server DNS traffic hitting this rule/label?

For example my client requesting DNS resolving from the server (not the FW).
In FIREWALL: LOG FILES: LIVE VIEW this shows up twice even though the FW should just pass the traffic:

client_vlan   OUT 2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   let out anything from firewall host itself   
server_vlan  IN   2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   My DNS rule


Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.

What you see here is correct,

You are hitting In rule for you DNS and than you hit the allow all out rule default, as by default OPNsense permits all traffic EGRESS. Explicit deny is only by default in Ingress.

let out anything from firewall host itself
 - Rule to pass Egress all traffic

let out anything from firewall host itself (force gw) 
 - Rule to pass Egress all traffic originating from FW WAN interface

Check the Rule > floating, you have them at the bottom

Regards,
S.