Not understanding firewall rules

johnpoz

@barth said in Not understanding firewall rules:

'm able to replace several rules with this one.

Why is that advantage? Unless you had like hundred of rules that you had to scroll through? 1 rule vs 100 isn't going to be seen as any sort of performance bump, etc.

Replacing multiple rules combining things to me would be disadvantage in ease of reading the rule, and in making slight changes to it, etc. Bang (!) rules do a use cases - but normally its less complex to just clearly create a very explicit rule, be that 10 rules so what they are one time things - your not having to edit rules every day are you? On multiple interfaces, etc.

BartH

First, let me clearly state I am not trying to be argumentative. I truly enjoy a thorough discussion of any computer subject as I have learned so much from them.

So, in defense of my way of doing it, The way I read Netgate's documentation is that the best way of creating rules is to realize that everything is blocked by default and rules should be created to allow only what is wanted. I took that as a challenge. I was able to limit my allowance to only the part of the range of IPs I wanted and by creating a single pass rule for ports above this one, I did everything with just two rules. With only two rules to look at and understand, I think the way I did it, is actually easier to understand.

Your turn! :-)

Bart

Patch

@barth said in Not understanding firewall rules:

I think the way I did it, is actually easier to understand.

But in practice it is not easier to make it work as the bang rules are more likely to have consequences which are not as obvious.
There is a difference between thinking understanding is good and the understanding actually being accurate.

BartH

Point taken!

johnpoz

@barth Your two rules don't work.. Or why is there even this thread ;) So clearly you don't understand them very well ;)

I did everything with just two rules.

If that is what you want that is fine.. Lets see you rules you have created.

What did you accomplish? Did you block access to your pfsense web gui? Which is most likely a public IP?

Was not aware there was a contest to see how few rules you could create to accomplish what you want to accomplish. Bang rules have had issues in the past, especially if your using vips.. Have at it that is what you want to do.

I am not taking your comments as argumentative btw - I too like a discussion and am very passionate about this subject matter so please do not take any of my comments as negative or argumentative... More than happy to discuss the many different ways to skin a cat.. Firewall rules can be done in different ways to accomplish the same goal.. As long as your goal is accomplished be it you take a shortcut or a the long way doesn't matter as long as you fully understand what the rules are saying and what they are doing.. And able to troubleshoot them if need be to why something might not be working the way you think they should be working.

I am a fan of KISS (keep it simple stupid).. If you can do something easy, then do it that way. But to me that is being very explicit in exactly what the rules are doing. That bang symbol can be missed when looking at rules ;)

I had a very similar discussion long time ago with very smart guy on this forum.. And one thing he said made great sense, don't block with an allow.. I wasn't seeing it that way, I was seeing at a more explicit allow, etc. But in the long run his point was very valid. If you want to block then block, if you want to allow then allow - its a less convoluted method, and is more in line with the KISS practice ;)

BartH

You know (I think it's obvious) I'm new to this networking thing. I made my living years ago doing custom, contract programming. I wanted Vlans on my network for the usual reasons. I thought, "Networking? Huh, you just plug in the cables and it works! I can even make my own cables. How hard can this be?" Well, I found out. And, learned a whole lot of respect for this end of the business. So now I'm sure you can understand where I come from. By the way, I've been out of the computer business for nearly 20 years.

You want to see my rules. Do I do a screen capture and use the little button, second on the right, to upload it?

Or, as they're only two, should I just describe them? /S

As far as don't block with an allow, that does make a great deal of sense.

I do want to split my IOT Vlan up a little more. At what point would I be seeing a degradation in performance? How hard can I push this little 4100?

rcoleman-netgate

@barth said in Not understanding firewall rules:

How hard can I push this little 4100?

I suspect you're barely making it sweat at this point. The 4100 is one of the fastest systems we sell. If it was a 2100 I might be worried.

BartH

Well, that's good to know. I was looking at the 6100 but, on a fixed income, it was a little more than the budget would allow at this time.

BartH

johnpos
Should we take this off list? If you like, I can create a temporary email address to post here and delete it when you reply. Up to you.

Bart

johnpoz

@barth said in Not understanding firewall rules:

At what point would I be seeing a degradation in performance?

What by adding a few extra vlans? Or a few 100 rules? That is not going to be a problem.. As I mentioned a few rules isn't something that would be in any way different in performance - now if you were talking 1000's of rules?

And yes the best way to go over rules is to post a screenshot - like I did with my example rules for a locked down interface.

BartH

Alright! Y'all convinced me! I'll remove my bang rule.

Regarding this though, prompts one further question about your rfc1918 alias: Your show 10/8, 172.16/12 and 192.168/16. Did you really mean the IPs as you typed them, or should they actually be 10.0.0.0, 172.16.0.0/12 .... I created an alias of type network and actually entered the networks just as you had typed them. pfSense seemed to accept them this way. I then edited the alias and changed them to the full length of the IP, and pfSense seemed to like it as well. Is either way acceptable? Would it have worked if I had left the short versions?

johnpoz

@barth my method just a shortcut, no reason to show zeros that everyone knows is there ;)

Have to see if pfsense actually would use - I was not aware it would, sorry for any confusion my laziness might have caused..

edit:
it doesn't seem to work - even if it takes, them if I go back into the alias its not correct after hitting save

Sorry if my laziness was misleading to how they should be entered.

BartH

Not a problem. I kinda thought that was the case, but wanted to make sure.

BartH

Well, YAHOO! I got my system working like I want it to.

I want to express sincere thanks to all who had the patience to point me in the right direction.

johnpoz, Next time you're in my area, get in touch with me. I'll take you out for a nice Buffalo steak!

Bart