Firewall rules based on interface

fwadmin

I don't think i have been very clear about the problem.  I want to create a firewall rule similar to what I can do with IPTABLES in a chain rule i.e.

-A FORWARD -i PUBLIC1 -j OUTBOUND_ALL
-A OUTBOUND_ALL -o OUTSIDE -m state –state NEW -j ACCEPT

There are no references to subnets or IP's.  Simply allowing traffic in one interface and out another.  One side of the rule depends on the other.  That might be the caveat that is creating confusion.  The first rule doesn't allow anything by itself.  Though it defines what is allowed inbound on the PUBLIC1 interface, nothing is allowed without the second line.

With the -i switch and possibly utilizing the anchor feature of pfctl, I hoping to do the same with pfsense.

Metu69salemi

if you want to allow everything why to have osi layer 4 device, why don't simply use osi layer 3 three device(router) and there allow routing between everything

fwadmin

Most of our firewalls have 10 interfaces.  We typically allow everything going out the Outside interface:

Source=any Destination=any Protocol=any In Interface=any Out Interface=Outside

This takes care of Internet access without giving access to any internal services.  Then i have intra containment zone rules such as:

Source=any Destination=any Protocol=CIFS,DNS, etc In Interface=InterfaceY Out Interface=InterfaceZ

The later rule is not the challenge here.  It is how do I give the nine containment zones full internet access without giving them access to internal services.  Better stated, without a series of deny rules, how would i do this.  This is a simple rule set:

All through the Outside interface for all
Containment Zone One to Containment Zone Two for X procotols
Containment Zone One to Containment Zone Three for X procotols
Containment Zone Four to Containment Zone Five for X procotols
Deny All

Otherwise the rule set would double:

Deny Containment Zone One to Containment Zone Two for X procotols
Deny Containment Zone One to Containment Zone Three for X procotols
Deny Containment Zone Four to Containment Zone Five for X procotols
Containment Zone One to all for all
Containment Zone Two to all for all
Containment Zone Four to all for all
Deny all

Not to mention we allow fewer protocols than we deny making the firewall configuration more complicated.

Metu69salemi

You could simplify rulesets by using aliases. but remember you can't mix alias types in one alias(example: IP's and Port numbers). Then configuration might be easier to read and more comfortable to use

XIII

You might be able to do what you want but pfSense is designed to be administered through the gui. To do it the way you want I believe you would have to do it via CLI.

cmb

You cannot just specify interfaces in rules (in the GUI or the underlying system), using subnets, aliases or interface groups (likely a combination) can do what you want by using IP subnets rather than interfaces.

jimp

On 2.0 you can use floating rules and/or interface groups to get closer to what you want, but with traditional rules you do need to block inbound on the interfaces going to every other network you don't want them to access. By using aliases, you don't really need X number of individual rules, you could do it with only a couple of them.

MikeN

fwadmin: Did you ever manage to find a good solution to this?

It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface…..

cmb

@MikeN:

It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface…..

Easy, just block or reject what you don't want to permit (most commonly with an alias of local and VPN-attached networks, if not all of RFC1918) above allowing destination "any" for required Internet traffic.

MikeN

@cmb:

@MikeN:

It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface…..

Easy, just block or reject what you don't want to permit (most commonly with an alias of local and VPN-attached networks, if not all of RFC1918) above allowing destination "any" for required Internet traffic.

That is an option, but:

• It's error prone. If in the future new IP ranges get added to interfaces, I will have to make sure that these get blocked too. I rather have something closed/secure by default, instead of the other way around.
• It's quite some work if you got multiple interfaces. I still have to look into the floating rules (running 2.0-rc3 here), and where they're added in the pf ruleset, so maybe floating rules can resolve this issue…