Simple firewalling rules
-
"Another way is to go to the interface that goes to the servers and put the rule the other way around."
So one of your interfaces would be your LAN, the first one you created should have a any any rule it it - this is the default lan rule.
But yes - as mentioned all rules are seen as inbound to the interface.
So if you have em0 network wants to initiate traffic to em1 network, then em0 rules need to allow that. This will create a state and devices on em1 will be allowed to answer. If you want em1 to imitate traffic to em0, then rules would be needed on em1 to allow that traffic.
network and subnet? I think this is a common issue with people new to networking.. These terms are quite often interchanged network, segment, vlan, subnet..
So your 10.0.0.0/24 is a network segment, you could also just say network.. It is also a subnet of say 10.0.0.0/8 or 10.0.0.0/16 or even 10.0.0.0/23.. A vlan to me means tagging, but people use it to call out their network segments or subnets ;)
Different terms should be used depending on the context of the conversation - but when it comes down too it they are exchanged quite often - not always appropriately, but if you say network, or segment or subnet or vlan even – its ok ;) Also best if you give details of what your talking about -- like your above examples.
-
Ever since I got johnpoz's answers on my questions I felt quite confident in making rules.
And I recently was discussing with a friend about that subject and he asked me an interesting question:If you had:
-
em0 is 10.0.0.0/24, and the ip of em0 is 10.0.0.1
-
em1 is 10.0.1.0/24, and the ip of em1 is 10.0.1.1
And you made a rule: block port 80 going from the subnet 10.0.0.0/24 going to the subnet 10.0.1.0/24, is that less secure and effective as the solution on referring to the interfaces?
Good question right?? ??? ??? ??? ??? ???
From my gut feeling it is less secure but I cannot explain why. :o
So if there is someone to tell me the difference between these 2 aspects of making firewall rules would be really great. -
-
Less secure than what rule? If your goal is to block 0.0/24 from talking to 1.0/24 on port 80 then that rule is fine.
-
the solution on referring to the interfaces
You will need to explain what you mean by this - I think no-one has any idea what is "the solution on referring to the interfaces".
-
When referring to the interfaces, I mean creating a rule that starts with: "block out on em0…" and with making a rule with the subnet, I meant something like that: "block out on 10.0.0.0/24...".
The rule will block the same port the difference is that I used in the last one a subnet in the rule and in the first one I used an interface. -
pfSense generates the pf rule statements for you and I guess you have been looking at them in /tmp/rules.debug.
The normal interface rules are all "in" rules - the traffic is filtering coming in to the interface. So you will get "block in" rules all the time. Normally this does everything you need. To get "block out" rules you have to use the Floating tab, and select the "out" direction. Usually that is not needed.
The "on" keyword only takes an interface name - for example pfSense will make a name "WAN" for the WAN and the rule will look like "block in quick on $WAN"…
Then there will be "from" and "to" clauses to match particular IP addresses/subents/alias.
So, a rule for your example would block the traffic coming in on em0 like:
block in quick on $LAN from 10.0.0.0/24 to 10.0.1.0/24Yes, you could also put a Floating rule to "block out on $OPT1 from 10.0.0.0/24 to 10.0.1.0/24" but it is not necessary. Those source/destination pairs are already blocked on the way in.
-
Lets not focus on the "in" and "out" on making firewall rules now, although it is important to know of how to properly make those rules.
But the core question is, which one is the safer filtering rules:-
block in from em0 to em1 port http
-
block in from 10.0.0.0/24 to 10.0.1.0/24 port http
Is it safer to use interfaces or subnets in making those filtering rules?
-
-
how are they different, I would assume that only 10.0.1.0/24 is available as a dest network, and 10.0.0.0/24 would be the only source on that interface anyway?
But normally in a block you wouldn't put a source unless that is only what you wanted to block. A normal block would be source any to the dest IP or network. You could only address security if you look at it to what it doesn't block. But if that something it doesn't exist what does it matter?
-
If you manage the rules entirely by the GUI, you only have the chance to select a single interface (that is, the tab you are adding the rule to). As explained before, this rule is an IN rule. Within the rule, you cannot specify the source as an entire interface, you have to select a specific subnet.
So the question ends up being "is it more secure to specify the destination subnet as the interface's subnet or leave it just as any?" (source has to be the source subnet as explained before)
The answer is that "any" is more general and will deal with special cases (like devices with a manually configured address on a different subnet, or multicast traffic).
In any case, remember the firewall will silently block any traffic not explicitely allowed.
Regards!
-
Ok that cleared up a lot of things. :)
Thank you for your patience guys. ;DKeep up the good work. :D
-
^^ exactly a block would have to be paired with an allow.. since by default everything is blocked.. Unless you have an allow statement paired with that block to limit the allow. So what allow statement do you have after that rule?