Setting filters on a DMZ interface

Started by tonys, March 27, 2025, 08:48:07 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 28, 2025, 07:13:30 PM #15
I would remove that "Internet -> WAN (Firewall)" rule on the spot.
It ALLOWS any Internet host that is NOT in your alias to access any port on your public WAN IP!

An allow rule is not blocking anything in any case!!!
An Allow rule with a source (not inverted) only allows hosts matching the criteria.
An allow rule with an inverted (!) source allows all EXCEPT hosts matching the criteria.

More on the rest later.
March 28, 2025, 07:28:47 PM #16
As mentioned in the previous post, that first FW rule needs to go.

The PF rules look fine to me. The corresponding FW rules match my expectations as well.
The destination in the associated FW rule might seem weird but these are evaluated after the PF rule transform.

Your alias is of type networks.
Per the Alias doc, all entries should be in CIDR notation (or wildcard notation).
That includes a /32 for hosts.
Just including IPs is likely causing a failure at least for these IPs, if not for the entire alias. I have not tested the failure mode.
So at best, the alias only includes the networks. At worst, it's empty. Allowed sources are any EXCEPT that content.
March 28, 2025, 07:33:30 PM #17
Quote from: EricPerl on March 28, 2025, 07:13:30 PMI would remove that "Internet -> WAN (Firewall)" rule on the spot.
It ALLOWS any Internet host that is NOT in your alias to access any port on your public WAN IP!

An allow rule is not blocking anything in any case!!!
An Allow rule with a source (not inverted) only allows hosts matching the criteria.
An allow rule with an inverted (!) source allows all EXCEPT hosts matching the criteria.

More on the rest later.

Removed.
March 28, 2025, 07:35:27 PM #18
Quote from: tonys on March 28, 2025, 06:09:51 PMI also added a screen shot showing the tens of thousands of bogon IPs slipping through to my OpenVPN Access server and being trapped by fail2ban. Many of thesea are already in the tony_bogons list.
If you press the 'Inspect' in the NAT and WAN firewall rules, do you see them matching?
NAT rules come before the firewall rule, I assume that was already mentioned in the thread. When I try that out, no rule on the WAN interface is necessary, on in the NAT port forwarding (and that creates one automagically).

You did press 'Apply' after changing the alias, yes?
Deciso DEC740
March 28, 2025, 08:38:51 PM #19 Last Edit: March 28, 2025, 08:44:15 PM by tonys
@patient0... Ding ding ding, you nailed it! There *were* 0 evaluations or matches being made according to Inspect in the WAN rules. There's no Inspect button in the port forwarding rules but I did find *old* PASS rules prior to the new block rules. The old rules weren't showing up earlier for some reason but when I erased all the categories, they showed up. Oops! I deleted the old port forward rules and left only the new ones and now I'm getting hundreds of matches per minute showing up in the WAN rules.

Thank all of you for resolving this mess. The Inspect Results attached show what's hitting me in a 5-minute time period. Fail2ban is now almost dead quiet running on the OpenVPN Access server which was my long-term goal :-)

Tony
Print
Go Up Pages 1 2
User actions