Best practice for FW rules

cyberfinn

Hey

We have a pfSense setup in our environment. Right now we have 15 interfaces/subnets and creates a new one every month. Traffic between interfaces/subnets should not be allow by default, but every interface/subnet should be allowed to use the internet/WAN.

How should we setup this senario?

Right now we 14 deny rules for each interfaces, i.e:

From interface Subnet1:
Deny all to Subnet 2
Deny all to Subnet 3
Deny all to Subnet 4
….. and so on
And the last rule: Allow all (For allowing access to rest of the internet)

From interface Subnet2:
Deny all to Subnet 1
Deny all to Subnet 3
Deny all to Subnet 4
….. and so on
And the last rule: Allow all (For allowing access to rest of the internet)

But when we creates a new interface/subnet, we need to add a deny rule for this subnet to all other subnets rules. It takes a lots of time.

Can we do that smarter?

ptt

IIRC all traffic from OPT interfaces is Blocked by Default, so you dont need the Block rules. Only the LAN interface with the default "LAN to ANY" Rule needs the Block rules.
You only need to be less "permisive" in your PASS rules On OPT interfaces

GruensFroeschli

Actually that's not true.
If you remove all rules from the LAN-tab everything will be blocked as well.
You just have to make sure that you remove the default rules.

To the original question.
This can be done a lot easier:

1: Create an alias containing all your local subnets.
I assume these local subnets use private IP's (192.168/16, 172.16/12, 10/8)
–> If you add/remove new subnets regularly you might want to use these RFC1918 subnets directly (the above in brackets).

2: Delete all rules on all interfaces.

3: Create a single rule on each interface:
Allow, Protocol: any, Source: Interface-subnet, Source-port: any, Destination: !Alias (NOT the alias), destination-port: any

With such a rule you allow traffic to all destinations which are NOT in the alias.
--> The internet.
Everything else will be blocked by the invisible default "block everything" rule.

cyberfinn

@ptt:

IIRC all traffic from OPT interfaces is Blocked by Default, so you dont need the Block rules. Only the LAN interface with the default "LAN to ANY" Rule needs the Block rules.
You only need to be less "permisive" in your PASS rules On OPT interfaces

Thanks. But the problem is how to give access to all other IP's on the internet. I think the solution from GruensFroeschli is the right one.

cyberfinn

@GruensFroeschli:

Actually that's not true.
If you remove all rules from the LAN-tab everything will be blocked as well.
You just have to make sure that you remove the default rules.

To the original question.
This can be done a lot easier:

1: Create an alias containing all your local subnets.
I assume these local subnets use private IP's (192.168/16, 172.16/12, 10/8)
–> If you add/remove new subnets regularly you might want to use these RFC1918 subnets directly (the above in brackets).

2: Delete all rules on all interfaces.

3: Create a single rule on each interface:
Allow, Protocol: any, Source: Interface-subnet, Source-port: any, Destination: !Alias (NOT the alias), destination-port: any

With such a rule you allow traffic to all destinations which are NOT in the alias.
--> The internet.
Everything else will be blocked by the invisible default "block everything" rule.

Thanks. I think this is the solution. Nice one.

ptt

Sorry, my bad.

Mr. GruensFroeschli way, is the right way  :-[