Rule to block a port for all LAN but allow on a single or group of clients

Started by jata, January 28, 2025, 05:57:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 28, 2025, 05:57:07 AM
I know this is probably a basic concept but I am a noob - so apologies and I hope someone can help me.

I understand that rules are applied in sequence from top to bottom and I wanted to check I am on the right track.

I want to block access to port 2375 apart from my 2 docker hosts on the LAN interface.

Is this close? Thanks in advance.


rule1: allow port 2375 for alias containing my two docker hosts
rule2: reject port 2375 for LAN net
rule3: default allow LAN net





January 28, 2025, 08:02:21 AM #1
Put the docker hosts in a separate VLAN, otherwise you are engaged in security theatre. If there's something/someone you don't trust on your LAN, then you can't trust them not to spoof their source IP to by-pass your policy.


Better still, put the untrustworthy devices (IoT?) on their own VLAN/SSID and restrict them aggressively.
January 28, 2025, 08:36:00 AM #2
Thanks. It's only for my homelab setup and I like it simple. Manageable risk on my family LAN. Important data backed up off-site. Don't have any IoT that concerns me either.

Am I on the right track with the rules I outlined above?

 
January 28, 2025, 01:51:28 PM #3
Nope, sorry. The top two rules will never be invoked since traffic on the LAN will not go via the firewall. The firewall is a layer-3 router, so it will only control traffic from one subnet to another.
January 28, 2025, 09:37:08 PM #4
I see. Thanks for clarifying. That makes sense now I think about it and explains why I can't see anything in the live log when I expected to.

So is what I am trying to do not possible in opnsense unless I go down the VLAN route?
January 28, 2025, 10:05:45 PM #5
It is not possible with any firewall. Devices in the same network communicate directly with each other going through the switch without involving a router inbetween. A firewall is (in most cases) a router.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 28, 2025, 11:34:31 PM #6
Right. Thanks for the clarification. Will delete my useless FW rules now. haha

I have now switched my docker hosts to use TLS authentication so I have some protection/security in place now.
January 29, 2025, 02:34:10 PM #7
I use NPM/LE/Portainer for https connections to docker. https://gist.github.com/bartsmit/9d7323ad2ff3d7a7afa98421e1e501f2
Print
Go Up Pages1
User actions