Not understanding firewall rules

SteveITS

@rcoleman-netgate said in Not understanding firewall rules:

What is the definition of the "internal" alias?

"alias named Internal which is 10.50.0.0/19" ;)

Bart you may want to block access to the pfSense IPs notably the WAN IP. Use "This Firewall", see the last picture in https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html#strict-management.

rcoleman-netgate

@steveits said in Not understanding firewall rules:

"alias named Internal which is 10.50.0.0/19" ;)

oooooooooo i seeeeeeeeeee :D

BartH

@SteveITS
My intention with this rule is to block access from IOT to all devices and or Vlans on this network Except for the internet. That's why I used that address in the alias Internal

Bart

BartH

This post is deleted!

BartH

Sorry for the screwed up post above this:

Well, let's try this:

10.50.0.0/19 would include any IP between 10.50.0.0 and 10.50.99.255
and would exclude any IP between 10.50.100.0 and 10.50.255.255

Is this correct?

And, if so, if my alias Internal is 10.50.0.0/19 and my rule says to pass anything to NOT Internal, shouldn't it block anything in the first group of IPs?

And, if this is correct then, from a computer plugged into a port on my switch that is assigned to IOT, and has an IP address of 10.50.20.200, I should be able to ping anything on the IOT Vlan, and nothing else.

Is this correct?

But, I can!

keyser

@barth No.

The firewall evaluates rules from top down to se if it can match traffic to a rule. A match is when the rule specifically matches both the source and destination of the packet. If no rules match (passed the last visual rule), the traffic is dropped by the firewall.

In your case the ping against IPs on you other VLANs does not match the first rule (destination: !internal).
So it passes on to the next rule which is any/any. It matches, and thus you can ping anything. If you ONLY want internet access, you need to delete your second rule. Then you have achieved what you are looking for.

Rememeber though:

1: Clients will get a IP from Firewall DHCP even though no rules visually pass DHCP traffic. That’s a build in feature.
2: If you only have a rule to allow access to the Internet, you need to setup the DHCP server to provide internet based DNS servers instead of the Firewall itself. Otherwise they cannot resolve names.

johnpoz

Not a fan myself of the ! method.. Rules should be very explicit so they are easy for both pfsense and the user to interpret.

If you do not want this vlan/network to get to your other vlans/networks - then create a alias that includes your networks, or all rfc1918 space for that matter and block/reject it vs using a ! rule..

Here is example of a locked down network.

You can adjust per your specific wants/needs - these allow ping, dns, and ntp to talk to the pfsense interface on this network. Blocks all other access to any pfsense IP - this prevents access to say the pfsense gui. The rfc1918 alias prevents access to any of your other networks, 10/8, 172.16/12, 192.168/16

Reject can be better than block for internal because this tells the client right away via icmp message - hey you are not getting there, this can keep the client from banging its head trying to go there via retrans because it got no answer.

keyser

@johnpoz said in Not understanding firewall rules:

Not a fan myself of the ! method.. Rules should be very explicit so they are easy for both pfsense and the user to interpret.

If you do not want this vlan/network to get to your other vlans/networks - then create a alias that includes your networks, or all rfc1918 space for that matter and block/reject it vs using a ! rule..

Here is example of a locked down network.

You can adjust per your specific wants/needs - these allow ping, dns, and ntp to talk to the pfsense interface on this network. Blocks all other access to any pfsense IP - this prevents access to say the pfsense gui. The rfc1918 alias prevents access to any of your other networks, 10/8, 172.16/12, 192.168/16

Reject can be better than block for internal because this tells the client right away via icmp message - hey you are not getting there, this can keep the client from banging its head trying to go there via retrans because it got no answer.

For the record: I completely agree with @johnpoz, and my own firewall is configured exactly like his - because then the rules clearly tells you whats happening.
My only little snag with his approach is I do both :-)
My last rule - it's also called "allow Internet" - but it is a !RFC1918 rule, so it actually only allows access to internet. That way any mistake I might make above in blocking access, still does not get a free pass :-) The rule only allows what it says it does.

BartH

Thank you all so very much!

Late last night, or rather early this morning, The explanation keyser gave became my AHA! moment. You are right about keeping it simple, but using the !, I'm able to replace several rules with this one. With a background in programming, I usually don't have a problem with using this type of logic. Notice the "usually" there!

Guess I'm getting old.

Anyway, thanks to you all (again) I can mark this thread as Solved.

Bart

johnpoz

@barth said in Not understanding firewall rules:

'm able to replace several rules with this one.

Why is that advantage? Unless you had like hundred of rules that you had to scroll through? 1 rule vs 100 isn't going to be seen as any sort of performance bump, etc.

Replacing multiple rules combining things to me would be disadvantage in ease of reading the rule, and in making slight changes to it, etc. Bang (!) rules do a use cases - but normally its less complex to just clearly create a very explicit rule, be that 10 rules so what they are one time things - your not having to edit rules every day are you? On multiple interfaces, etc.

BartH

First, let me clearly state I am not trying to be argumentative. I truly enjoy a thorough discussion of any computer subject as I have learned so much from them.

So, in defense of my way of doing it, The way I read Netgate's documentation is that the best way of creating rules is to realize that everything is blocked by default and rules should be created to allow only what is wanted. I took that as a challenge. I was able to limit my allowance to only the part of the range of IPs I wanted and by creating a single pass rule for ports above this one, I did everything with just two rules. With only two rules to look at and understand, I think the way I did it, is actually easier to understand.

Your turn! :-)

Bart

Patch

@barth said in Not understanding firewall rules:

I think the way I did it, is actually easier to understand.

But in practice it is not easier to make it work as the bang rules are more likely to have consequences which are not as obvious.
There is a difference between thinking understanding is good and the understanding actually being accurate.

BartH

Point taken!

johnpoz

@barth Your two rules don't work.. Or why is there even this thread ;) So clearly you don't understand them very well ;)

I did everything with just two rules.

If that is what you want that is fine.. Lets see you rules you have created.

What did you accomplish? Did you block access to your pfsense web gui? Which is most likely a public IP?

Was not aware there was a contest to see how few rules you could create to accomplish what you want to accomplish. Bang rules have had issues in the past, especially if your using vips.. Have at it that is what you want to do.

I am not taking your comments as argumentative btw - I too like a discussion and am very passionate about this subject matter so please do not take any of my comments as negative or argumentative... More than happy to discuss the many different ways to skin a cat.. Firewall rules can be done in different ways to accomplish the same goal.. As long as your goal is accomplished be it you take a shortcut or a the long way doesn't matter as long as you fully understand what the rules are saying and what they are doing.. And able to troubleshoot them if need be to why something might not be working the way you think they should be working.

I am a fan of KISS (keep it simple stupid).. If you can do something easy, then do it that way. But to me that is being very explicit in exactly what the rules are doing. That bang symbol can be missed when looking at rules ;)

I had a very similar discussion long time ago with very smart guy on this forum.. And one thing he said made great sense, don't block with an allow.. I wasn't seeing it that way, I was seeing at a more explicit allow, etc. But in the long run his point was very valid. If you want to block then block, if you want to allow then allow - its a less convoluted method, and is more in line with the KISS practice ;)

BartH

You know (I think it's obvious) I'm new to this networking thing. I made my living years ago doing custom, contract programming. I wanted Vlans on my network for the usual reasons. I thought, "Networking? Huh, you just plug in the cables and it works! I can even make my own cables. How hard can this be?" Well, I found out. And, learned a whole lot of respect for this end of the business. So now I'm sure you can understand where I come from. By the way, I've been out of the computer business for nearly 20 years.

You want to see my rules. Do I do a screen capture and use the little button, second on the right, to upload it?

Or, as they're only two, should I just describe them? /S

As far as don't block with an allow, that does make a great deal of sense.

I do want to split my IOT Vlan up a little more. At what point would I be seeing a degradation in performance? How hard can I push this little 4100?

rcoleman-netgate

@barth said in Not understanding firewall rules:

How hard can I push this little 4100?

I suspect you're barely making it sweat at this point. The 4100 is one of the fastest systems we sell. If it was a 2100 I might be worried.

BartH

Well, that's good to know. I was looking at the 6100 but, on a fixed income, it was a little more than the budget would allow at this time.

BartH

johnpos
Should we take this off list? If you like, I can create a temporary email address to post here and delete it when you reply. Up to you.

Bart

johnpoz

@barth said in Not understanding firewall rules:

At what point would I be seeing a degradation in performance?

What by adding a few extra vlans? Or a few 100 rules? That is not going to be a problem.. As I mentioned a few rules isn't something that would be in any way different in performance - now if you were talking 1000's of rules?

And yes the best way to go over rules is to post a screenshot - like I did with my example rules for a locked down interface.

BartH

Alright! Y'all convinced me! I'll remove my bang rule.

Regarding this though, prompts one further question about your rfc1918 alias: Your show 10/8, 172.16/12 and 192.168/16. Did you really mean the IPs as you typed them, or should they actually be 10.0.0.0, 172.16.0.0/12 .... I created an alias of type network and actually entered the networks just as you had typed them. pfSense seemed to accept them this way. I then edited the alias and changed them to the full length of the IP, and pfSense seemed to like it as well. Is either way acceptable? Would it have worked if I had left the short versions?