Firewall rules - just a stupid question.
Standard rules (WAN, LAN, for example), as far as I understand, are all quick rules and processed top to bottom. The first match wins. Traffic is evaluated ENTERING the interface. I understand this for WAN and LAN rules, but for OpenVPN interface how does this work?
So, traffic with destination OpenVPN enters WAN and then where is it going to go? IN(to) OpenVPN interface or OUT OpenVPN interface to ovpn subnet? Is this traffic filtered by deny/drop WAN rules or I have to build firewall rules for the OpenVPN interface?
The VPN traffic entering from the WAN can be treated as if the traffic is coming from a a real physical interface called OpenVPN.
Rules you place on the OpenVPN tab are no different than rules on any other interface.
With the rules on the OpenVPN interface you filter only traffic of your remote sites / roadwarriors.
To control traffic exiting the OpenVPN interface, you put rules on the LAN/OPT/etc. interface.
If I understand correctly, If I have pfsense setup as an OpenVPN client to some vpn provider (for example StrongVPN) have I to set a deny (incoming) policy on the OpenVPN interface equal to that (default) that's set on the WAN?
If you don't create any rules, then anything will be blocked by default.
Only if you start creating your own rules which allow something, traffic is able to "enter" on this interface.
The block rules which are on the WAN interface by default (block private and block bogon) can be enabled by setting the respective checkboxes on the config-page of the interface itself (interfaces–>OPTx).
If you don't have any rules these two rules aren't really needed, but they provide a "safe" start for a WAN.
--> The help prevent someone shooting in their own foot.
I wouldn't set any deny rules in openvpn until its working perfectly - You can add rules later if you want, but this way, if the rule you add breaks openvpn, you will immediately know what the problem is.
I would like to set a default deny policy for all incoming traffic on the OpenVPN client connection (similar to that on the WAN), then allow only the traffic that's a reply to LAN requests. I thought this was enabled by default, with automatically created rules for OpenVPN, but in release 2.1 seems that the auto-created rule is "all all".
I think that OpenVPN connection to a VPN provider IS INTERNET, so I'd like to protect my network (I know that VPN provider should do this, but…) ;D
Nothing gets allowed automatically.
By default, everything - Absolutely everything is denied.
So, rather than concentrating on deny rules, concentrate on allow rules.
The OpenVPN setup (client) created a rule:
pass in quick on openvpn all flags S/SA keep state
that scares me a bit ::)
I had to create a floating rule on the WAN (em0) to stop clients of the LAN to connect to Internet if VPN is down:
block drop log on em0 inet proto tcp all flags S/SA
and a second quick rule (on WAN) to allow client-only VPN handshaking:
block drop log quick on em0 inet proto udp from any to ! <my_dns_addresses>port = domain
where <my_dns_addresses>is an alias that points to my favorite DNS servers (like OpenNIC's).
Now I want to create some rules to protect the OpenVPN interface from connections coming from Internet (-> just in case my VPN provider would allow something to come through).</my_dns_addresses></my_dns_addresses>