Rules against rules
-
Hello to all.
I would like that somebody express me an opinion on both following firewall rules.
Here is the organized configuration and the purpose that i'm looking for:
Interface Wan > internet access.
Interface Lan > Network for administration
Interface opt > network of 10 Valns
By default, Vlans must be isolated between them and all have access to internet with a limitation on the authorized protocols.I saw here that it was necessary to use the following rules:
See the topics of reference:
http://forum.pfsense.org/index.php/topic,13347.msg71597.html
http://forum.pfsense.org/index.php/topic,20173.0.htmlThe problem is that if I also want to limit protocols with this rule I can’t do that without creating holes of security towards the other Vlans !
So, here is what I set up:
This the basic rule
Here I put a restriction by reject to the interface of management and allow access to Vlan3 subnet to http protocol
It’s the same but this time it is possible to contact the FTP server on a specific host in Vlan 3With this filter, all concerns the access to vlans had to be made before the block rule and all which concerns internet access made after the block rule.
Can you express me your opinion on these rules?
Thanks to all. -
@ All pictures
You dont need a "reset" rule.
Such a rule is already in place (invisibly below all your own rules).@ First picture: You could combine the second and third rule.
Allow; Source: Vlan4net; Destination:!4VlanAccess (NOT); Port: PortAllowed (The same as the second rule you posted from me, just with the default gateway and not the failover-pool).
Since you have a block all rule below this allow rule, you allow access on the allowed ports to anywhere except 4VlanAccess.
Although this only works for TCP/UDP. If you have other protocols, you will need the two rules as you have them.@ Second picture: For your second rule to work you need to disable the "anti-lockout" rule on the pfSense. (advanced)
The same for the fourth and fifth rules as in the first picture.@ Third picture: The same as with the two above. Additionally if you want to access an ftp server you have to make sure the ftp-helper on the pfSense is active. Otherwise you would have to allow also all secondary ports which are used for the datatransfer. If you disable the anti-lockout rule you also have to make sure you allow access to the helper which is afaik on the ports 8000-8030 (search the forum for this. I'm not completly sure).
-
Hello GruensFroeschli,
I work with Yro and it seems there is a missunderstanding.
First, remember that Yro's project is a multi VLAN network.
Picture 1.
1.1 With this way of writting rules Yro found that it is secure and well working if you want to allow full access to internet and block all inter-vlan.1.2 If you want to allow access to internet to some ports (not all), those ports will also be opened between vlans.
Do you agree at this point?Picture 2
So Yro found another way of writting these rules. But as he is far from beeing a guru at pfsense and packet filter, he would like to have your feeling about this way of writting rules for a multi vlan network.
FTP rules (pict 4), block gui access rules (pict3) are just examples.
Do you think that this way of creating rules is good?
1. allow inter vlan
2. block access to all networks except himself + lan
3. allow desired port to internetWhen Yro showed me this way of doing it seems to me that it is good (better) but as I am not experemented with packet filter and no more with pfsense I told him to test first and then to ask the community…
May be this way of doing rules has obvious mistakes or disadvantages that someone with knowledge and experience could see easilyI wish my english is not too bad and you could understand me...
David
-
@MrD:
Hello GruensFroeschli,
I work with Yro and it seems there is a missunderstanding.
First, remember that Yro's project is a multi VLAN network.
Picture 1.
1.1 With this way of writting rules Yro found that it is secure and well working if you want to allow full access to internet and block all inter-vlan.1.2 If you want to allow access to internet to some ports (not all), those ports will also be opened between vlans.
Do you agree at this point?Form pfSenses point of view it doesnt make any difference if it's a VLAN interface or a "real" interface.
They are interfaces and are treated equally.1.1: Yes of course this is secure and does work.
I just thought, since opinions have been asked i'd give my opinion to it.1.2: No i dont agree.
The rules are processed from top to down. If a rule catches the rest below will no longer be considered.
What i described:Rule1: Allow DNS to pfSense
Rule2: Allow from local LAN, to everywhere except the VLANs defined in the alias "4VlanAccess", only on the ports in the alias "PortAllowed".
Rule3: (Hidden) Block everything from everywhere.If you create a connection with a port on "PortAllowed" alias and a destination in 4VlanAccess the
the allow rule (rule2) doesn't catch since the destination is within 4VlanAccess.
–> The traffic gets blocked by the hidden Rule3.Do you think that this way of creating rules is good?
1. allow inter vlan
2. block access to all networks except himself + lan
3. allow desired port to internetWhen Yro showed me this way of doing it seems to me that it is good (better) but as I am not experemented with packet filter and no more with pfsense I told him to test first and then to ask the community…
May be this way of doing rules has obvious mistakes or disadvantages that someone with knowledge and experience could see easilyYes of course you can write the rules this way.
I just try to write the same functionality with a few rules as possible.
If you have (potentially) hundreds of rules it can become quite incomprehensible :) -
Thanks for the detailed answer, we are processing tests (and screen shots)…
David
-
Thx GruensFroeschli,
We made several tests and it works correctly.
On your point 1.2, you were right, it was an error in rules, we had a badly placed rule which opened inter-vlans connections.Thank you for your answers.
Yro.
