Firewall rules based on interface

fwadmin

Can i create rules solely based on traffic passing in one interface and out another?  I tried packet marking under advanced rule options and that didn't work.  Additionally, I see an option for In/Out virtual interfaces but I cannot find where to create the virtual interfaces.  I am looking at this product as a potential replacement for our existing firewalls.

GruensFroeschli

All rules are processed on traffic coming in on an interface.
Not on traffic leaving an interface.

Could you give an example of such a rule?
Most probably it's possible to have the same rule but with a slightly different approach.

fwadmin

Most of our firewalls have 10 interfaces.  Our cross containment zone rules are presently configured by interface.  An example would be In - em6, Out - em3 for HTTP and HTTPS with no reference to source or destination address.

fwadmin

Rules based on traffic going out an interface would also be acceptable.  Our current rule sets are based on allowing mostly everything outbound.  Going out the Outside interface.  If i allow all traffic going in an interface instead, that would obviously allow the same access to all containment zones.  In the absence of this functionality, our rule set would be extremely complicated with all the deny rules i would have to add.

fwadmin

Is the default to allow everything out the outside interface from traffic going in all other interfaces?  I see posts about the LAN interface and I would imagine the default rule of allowing everything outbound applies to all interfaces?

XIII

Only the LAN Interface has the allow all rule by default all other Interfaces have no rules (except WAN). To allow your other Interfaces Internet access you would have to setup rules doing so.

fwadmin

So my original question still stands.  Can I create rules based solely on the ingress and egress physical interfaces to create zone based security.  Additionally, can i create a rule solely based on the egress interface i.e. Source - any, Destination - any, Port - any, In - <any interface="">. Out - inf1?</any>

XIII

Yes and yes

fwadmin

Is there a FAQ or 'how to' about this?  I have been unable to figure this out through the interface, forums, and documentation.

XIII

Like this?

http://doc.pfsense.org/index.php/Category:Firewall_Rules

To add rules go to Firewall>Rules and select the interface you want to add rules to. To add a rule you click the plus sign.

See attached image, change LAN Net to the interface you are applying this rule to, additionally you could copy that rule to another interface by clicking the plus sign to the right of the rule,  just edit LAN Net to apply to the appropriate network (ie: Opt1 Net)

fwadmin

I don't think i have been very clear about the problem.  I want to create a firewall rule similar to what I can do with IPTABLES in a chain rule i.e.

-A FORWARD -i PUBLIC1 -j OUTBOUND_ALL
-A OUTBOUND_ALL -o OUTSIDE -m state –state NEW -j ACCEPT

There are no references to subnets or IP's.  Simply allowing traffic in one interface and out another.  One side of the rule depends on the other.  That might be the caveat that is creating confusion.  The first rule doesn't allow anything by itself.  Though it defines what is allowed inbound on the PUBLIC1 interface, nothing is allowed without the second line.

With the -i switch and possibly utilizing the anchor feature of pfctl, I hoping to do the same with pfsense.

Metu69salemi

if you want to allow everything why to have osi layer 4 device, why don't simply use osi layer 3 three device(router) and there allow routing between everything

fwadmin

Most of our firewalls have 10 interfaces.  We typically allow everything going out the Outside interface:

Source=any Destination=any Protocol=any In Interface=any Out Interface=Outside

This takes care of Internet access without giving access to any internal services.  Then i have intra containment zone rules such as:

Source=any Destination=any Protocol=CIFS,DNS, etc In Interface=InterfaceY Out Interface=InterfaceZ

The later rule is not the challenge here.  It is how do I give the nine containment zones full internet access without giving them access to internal services.  Better stated, without a series of deny rules, how would i do this.  This is a simple rule set:

All through the Outside interface for all
Containment Zone One to Containment Zone Two for X procotols
Containment Zone One to Containment Zone Three for X procotols
Containment Zone Four to Containment Zone Five for X procotols
Deny All

Otherwise the rule set would double:

Deny Containment Zone One to Containment Zone Two for X procotols
Deny Containment Zone One to Containment Zone Three for X procotols
Deny Containment Zone Four to Containment Zone Five for X procotols
Containment Zone One to all for all
Containment Zone Two to all for all
Containment Zone Four to all for all
Deny all

Not to mention we allow fewer protocols than we deny making the firewall configuration more complicated.

Metu69salemi

You could simplify rulesets by using aliases. but remember you can't mix alias types in one alias(example: IP's and Port numbers). Then configuration might be easier to read and more comfortable to use

XIII

You might be able to do what you want but pfSense is designed to be administered through the gui. To do it the way you want I believe you would have to do it via CLI.

cmb

You cannot just specify interfaces in rules (in the GUI or the underlying system), using subnets, aliases or interface groups (likely a combination) can do what you want by using IP subnets rather than interfaces.

jimp

On 2.0 you can use floating rules and/or interface groups to get closer to what you want, but with traditional rules you do need to block inbound on the interfaces going to every other network you don't want them to access. By using aliases, you don't really need X number of individual rules, you could do it with only a couple of them.

MikeN

fwadmin: Did you ever manage to find a good solution to this?

It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface…..

cmb

@MikeN:

It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface…..

Easy, just block or reject what you don't want to permit (most commonly with an alias of local and VPN-attached networks, if not all of RFC1918) above allowing destination "any" for required Internet traffic.

MikeN

@cmb:

@MikeN:

It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface…..

Easy, just block or reject what you don't want to permit (most commonly with an alias of local and VPN-attached networks, if not all of RFC1918) above allowing destination "any" for required Internet traffic.

That is an option, but:

• It's error prone. If in the future new IP ranges get added to interfaces, I will have to make sure that these get blocked too. I rather have something closed/secure by default, instead of the other way around.
• It's quite some work if you got multiple interfaces. I still have to look into the floating rules (running 2.0-rc3 here), and where they're added in the pf ruleset, so maybe floating rules can resolve this issue…