Firewall Zones

Started by pongafence, May 31, 2018, 05:15:02 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 31, 2018, 05:15:02 AM
Hi all,

Was wanting to know if the concept of "firewall zonies" has been or is going to be implemented into OPNsense.


Thanks,
D
May 31, 2018, 08:56:06 AM #1
no and it won't because this is outdated (if you are talking about red, orange, green and blue zones like in ipfire). In OPNsense, any interface (virtual or physical) can be a wan uplink, dmz or an internal network. You can also group some interfaces for example your internal LAN interfaces.
May 31, 2018, 11:12:36 AM #2
For all intents and purposes, zones are interfaces in OPNsense. The definition is a bit fuzzy because interfaces can also be physical interfaces, but in general all interfaces in the menu with [NAME] or in the firewall rules tabs are zones.

Bridges make this a bit more complicated as well. But all in all it's just a naming thing that's hard to change without hurting language translations, documentation and ease of use for people used to M0n0wall, pfSense and OPNsense.


Cheers,
Franco
May 31, 2018, 12:35:09 PM #3
Hi,

Thanks for that.  Funny you should mention it about being dated.

Anyway, more along the lines of how the likes of Fortinet, Cisco, CheckPoint etc.  How they create "Zones", then assign "interfaces", be it physical or virtual, and group them together.  And then using firewall rules that applied to "intra-zone" traffic, but still allow all traffic within a "zone" to flow without rules.
May 31, 2018, 12:43:13 PM #4
You may have misinterpreted Fabian's comment about IPFire. It was not meant to include the vendors you mentioned.

Yes, an interface in OPNsense is a zone. You can change the underlying physical interface in the interfaces assignment page.


Cheers,
Franco
May 31, 2018, 01:00:45 PM #5
Quote from: franco on May 31, 2018, 12:43:13 PM
You may have misinterpreted Fabian's comment about IPFire. It was not meant to include the vendors you mentioned.
Probably yes - if somebody is talking about zones, I usually understand that this default policies are meant:
https://wiki.ipfire.org/configuration/firewall/default-policy
May 31, 2018, 01:02:42 PM #6
If you want to compare with Cisco IOS zones you should use floating rules.
May 31, 2018, 01:17:50 PM #7
Ah yeah okay.  I was thinking about using Floating instead.  But then wasn't too sure if it'd achieve the same sort of thing.
May 31, 2018, 01:22:37 PM #8
If we talk floating you can also do firewall groups ;)


Cheers,
Franco
May 31, 2018, 01:37:13 PM #9
Yep, look at floating or firewall groups, which way fits you best :)
Print
Go Up Pages1
User actions