Good Case for Floating Rule? Duplicating rules across interfaces
-
Hello everyone!
I want to go about using a default DENY instead of default ALLOW on all LAN traffic.
In my testing I have LAN, two VLAN (attached to LAN interface), and OP1 interface that is used exclusively by one server (not in a DMZ, just wanted it separate port and subnet). Then of course WAN interface.
The two VLAN's are nearly identical, one being for hard wired machines into a switch and the other for wireless devices.
I am going about default DENY instead of ALLOW on all LAN traffic (LAN, two VLANS and OPT1) so that only ports/traffic that I want going out can get out.
I have come up with about a dozen rules to accomplish this approach and it seems like everything is functional. I tested first on the wifi VLAN. However, now I have the task of creating these near identical rules for the hard wired VLAN, LAN and OPT1 interfaces. They are going to be exactly the same except that the interface source will be different.
Is this a good case for using FLOATING firewall rules? Or is there a better way of doing this? It won't take long to duplicate the dozen firewall rules to the other VLAN, LAN and OPT1 interface, but it brings up a few concerns:
- Human error while I am putting these in.
- Any additions/subtractions/changes in the future will require changes to four different interfaces which could result again in human error.
I was thinking about maybe making an ALIAS for specific TCP ports, one for UDP ports, one for destination IP or something and then having three rules in each interface excluding WAN so that would reduce the overall number of rules but i'm not sure if that is best practice.
Any comments or suggestions are always much appreciated. Thank you.
-
Just delete the pass any any rule that is placed on LAN by default.
Everything will now be blocked.
Then add pass rules for the traffic you wish to allow. Everything but that will still be blocked.
I would, personally, use an interface group instead of floating rules if I had a rule set that was the same for multiple interfaces. Sort of depends on what you're actually doing.
-
@derelict Hi Derelict,
I have the "pass any rule" on LAN as disabled already. The VLAN1 and VLAN2 are linked to the LAN interface. Right now I have made all of my changes to PASS on VLAN2 (wifi vlan) to test on. Are you saying that simply making all of the changes directly on the LAN interface will go down to the VLAN1 and VLAN2 even though LAN, VLAN1 and VLAN2 are all on different subnets?
Can you clarify "interface group" for me? I read through the pfsense manual and I'm not sure I totally understand it. I understand interface group as "VLAN1, VLAN2, OpenVPN" which are basically virtual interfaces. I don't see anything in alias or any menus for "interface groups".
I just don't want to duplicate a bunch of rules to a bunch of different tabs (interfaces) on the Firewall -> Rules screen.
-
@pfsensefanatic said in Good Case for Floating Rule? Duplicating rules across interfaces:
The VLAN1 and VLAN2 are linked to the LAN interface.
I have no idea what that means. You might need to draw it out.
Rules are processed in this order:
Floating rules
Interface group rules
Interface rulesSo if you make an interface group of all similar interfaces you can pass the traffic common to all of them. Then if you need to pass something specific on an interface you just pass it on that interface.
It really depends on your rule set and how much is common between interfaces to know if it makes sense or not.
-
@derelict said in Good Case for Floating Rule? Duplicating rules across interfaces:
@pfsensefanatic said in Good Case for Floating Rule? Duplicating rules across interfaces:
The VLAN1 and VLAN2 are linked to the LAN interface.
I have no idea what that means. You might need to draw it out.
Rules are processed in this order:
Floating rules
Interface group rules
Interface rulesSo if you make an interface group of all similar interfaces you can pass the traffic common to all of them. Then if you need to pass something specific on an interface you just pass it on that interface.
It really depends on your rule set and how much is common between interfaces to know if it makes sense or not.
"The VLAN1 and VLAN2 are linked to the LAN interface" - In my Interfaces assignments page I have LAN (igb1) and then "VLAN1 on igb1" and "VLAN2 on igb1". The VLAN1 and VLAN2 are associated (linked?) with the LAN (igb1 card). So I have a cable coming out of that igb1 port on the pfsense device and goes into an uplink port on a VLAN switch. From there I have two ports, one for VLAN1 and VLAN2 which have different subnets.
On a side note while trying to look into this to explain I came across the "interface groups" selection in Interface Assignments page. I was looking in Aliases. Doh. So, basically, to answer my original question, NO FLOATING RULES is not the correct method of what I am trying to do, it is INTERFACE GROUPS.
However, with this being said, maybe you or someone can chime in regards to my terminology of "VLAN 1 and VLAN2 are linked to the LAN interface". Again, interface assignment shows VLAN1 and VLAN 2 "on igb1" and igb1 is associated with LAN interface. VLAN1 and VLAN2 do NOT have their own physical port, they (SHARE??) the LAN port.
Thank you.
-
https://docs.netgate.com/pfsense/en/latest/book/vlan/terminology.html you better read the whole book though.
-
Yeah that's just VLANs.
They are logically separate from each other and behave as separate interfaces. If you want to pass traffic from VLAN 1 to VLAN 2 you need to pass it.
You can do what you want with floating rules. I just think interface group rules can be more straightforward.