Firewall rules for branch sites

boomam

Evening all,
Could do with some advice on the who's and the whys, and whats best practice.

Topology & Firewall Description:

3 Pfs, one of them "central". Other two Pfs have the same configs and OpenVPN back to the central Pf.

Whats needed:

• Routing between subnets at all three sites.
• Internet access for clients at the two branch sites.
• Seperate Guest LAN/Internet access at branch sites.

Firewall config:
Central
LAN: Allow - Local Subnet to all
OpenVPN: Allow - All to All

Branch
LAN: Deny - Local Subnet to Guest LAN
LAN: Allow - Local Subnet to all
OpenVPN: Allow - All to All
Guest LAN: Deny - Guest LAN to LAN
Guest LAN: Deny - Guest LAN to Remote Subnet
Guest LAN: Allow - Guest LAN to all

All denys are at the top of the rules orders.
OpenVPN is setup and functioning between all affected sites.
WAN connections on each Pf are set to allow incoming/outgoing (where applicable) of OpenVPN ports only.

Now, the above config works. Traffic routes between, there doesn't appear to be any bridging going on between networks and the internet works fine.
However to me that seems like bad practice with all the "allow to alls"

The internet at the branch sites wont function if i dont set "LAN/Subnet to all"
Neither will OpenVPN route without that rule and the "all to all" on all the OpenVPN interfaces at all Pf's

Thoughts?
Is there a better or more secure way to achieve this?

Thanks in advance all!

phil.davis

I make an alias for all the private subnets that I have around my various offices - call it OfficeNets. For example, the organisation uses 10.20.0.0/16 split up around the offices - 10.20.0.0/20 (16 "class-C" to be split among various LANs at a central office), 10.20.16.0/24 at branch 1, 10.20.17.0/24 at branch 2 and so on. Some sort of reasonable scheme of allocating private address space.
OpenVPN gets a rule to pass source OfficeNets, destination OfficeNets - that way if some other setting accidentally tries to route GuestLAN or real internet traffic across an OpenVPN link it will get dropped.
You can use the alias on GuestLAN also - to deny from GuestLAN to InternalNets in 1 rule.

On ordinary LANs for users that need to be able to do general internet browsing, you end up needing a pass destination all rule after blocking particular stuff. The pass rule could only pass specific ports (http, https…) but in many cases that just annoys ordinary people who have perfectly legit reasons to connect out to other ports on internet servers - connect a VPN to some other office site, get mail from their own mail provider on POP3/IMAP/SMTP ports, ssh to something, and so on. I have been a visitor at schools where they have locked down lots of outgoing ports including to POP3/IMAP/SMTP port numbers and I can't do send/receive of my email - how frustrating.

Rather than trying to tie down the clients on the local LAN with restrictive firewall rules, IMHO mostly what is needed is some filtering at higher level to block out based on content (inappropriate web sites) - DNS-based name server filtering by categories, squid/squidguard/dansguardian or whatever.

I'm sure others will have their opinions on firewall rules and content filtering combinations...

boomam

Afternoon,
I managed to work it out about an hour after posting. :p

OpenVPN connection has single rule from "remote subnet to LAN subnet".
LAN subnet has a "from LAN subnet to remote subnet"rule.
LAN & Guest Subnets have rules that deny access to/from each other.
Guest subnet has a rule that denys to remote subnet too.
Guest & LAN have a rule that is "subnet to any".

Seems to work….no crossing of traffic i can see on packet captures, net access works, ect;