Filtering multiple LANs to LANs



  • I don't know how to accomplish the following thing with statefull firewalling and sane usage of configuration technique:

    I have 3 LANs and one WAN (Internet)

    LAN1, LAN2 and LAN3 have all access to WAN (Internet)
    But they should not have access to each other, unless specified.

    With statefull firewalling and a rule on LAN1 that allow it to access any, it gets access to LAN2 and LAN3 despite I have no rule on the LAN2 tab, that allows access to it.

    Of course, I can now add a rule on LAN2 and LAN3 which denies access from LAN1 - now imagine I would have 50 LANs, so the first 50 Rules would be deny rules from every other LAN… what a hassle and prone to error.

    Basically I want to be able to allow the connection in a statefull way if the ingress and the egress firewall configuration allows the connection.

    As said, as of now, I can only imagine to accomplish this by horrific overhead in configuration.

    Would love to get some pointers, thanks
    Philipp


  • Banned

    You are doing it wrong. You need to modify the LAN1 rule to NOT allow access to LAN2/LAN3. Rules are applied on traffic where it first hits the firewall. Rules on LAN2/LAN3 will have absolutely no effect.


  • Rebel Alliance Global Moderator

    ^ Exactly

    If you have some sort of rule that you wanted to apply to say 50 vlans you could put that in floating tab.



  • I am aware of the situation you said - that is the issue I have.

    To be honest, I do not consider it a logical error to be able to configure which traffic is allowed to leave a certrain interface. I consider it a question of design and if the software supports that (which you may consider a feature).

    As said, having 51 LAN Interfaces means, that I have to tell 50 LAN interfaces that they are forbidden to go to LAN51. You may argue, that I could add a RFC1918 rule, which would deny and communication to private networks and then allow it on per interface. This would be just a crude attemp to fix it, as it does not change where the control of the filtering happens, nor does it work once you get non RFC1918 address space.

    It is like having an intersection of 4 roads, you place the oneway sign on the road51 and road1, road2 … and road50 are forbidden to enter. You don't tell every single road.

    The way you say it, you have absolutely no control, which traffic comes out of an interface unless you verified every single interface (tab in pfsense) which traffic it allows. I hope I made myself clear what I like to accomplish - and how I like to accomplish it.

    You may also go one level deeper - I want to able to configure four (http,https,dns,ntp) specific ports that are allowed to initiate outgoing connections on the WAN interface. No matter from which interfaces they originate. In my perfect case, that would mean one rule on the WAN interface; as of now, that would mean 200 rules on a 50 ports firewall (one per port, right?).

    regards
    Philipp


  • Banned

    There's also no point in letting traffic into the firewall if you don't intend to let it go out.  You have floating rules, you have aliases for ports, hosts and subnets, you have the negate rules (the "not" checkboxes). Either work with those or move to another firewall solution.  There's nothing going to change regarding where the rules are applied - all rules except floating are inbound only.

    @Phoenix:

    You may also go one level deeper - I want to able to configure four (http,https,dns,ntp) specific ports that are allowed to initiate outgoing connections on the WAN interface. No matter from which interfaces they originate. In my perfect case, that would mean one rule on the WAN interface; as of now, that would mean 200 rules on a 50 ports firewall (one per port, right?).

    No, that'd be exactly one quick rule with those 4 ports aliased, on the floating tab.
    https://doc.pfsense.org/index.php/What_are_Floating_Rules



  • I read: https://forum.pfsense.org/index.php?topic=43232.0

    The floating tab is nice… but it quickly gets crowdy in there, when doing all the stuff in the floating tab. I have 50 interface Tabs, and no use for them?

    I would love to see the interface tabs with two sections, one for the ingress rules and one for the egress rules (which as of now besically says "any any"). That way I can quickly verify what an interface has configured for allowed ingress and egress traffic. As of now, I would just be happy to be able to have egress rules configures in the corresponding interface.

    @doktornotor: there is no reason in being rude: saying of having "no point" is not an productive discussion term nor is saying "nothing is going to change". Either talk like being educated and fully grown up or shut up, with all due respect.

    Anyway, thanks for getting me to understand, that I did not overlook any feature, which would accomplish that in a way more like my tasting of how to do it.

    For the record: Having to maintain groups of ports if horrific, as there are virtually endless possibilities of port combinations, how about implementing a multi selection of ports in the rules edition and make an invisible-anonymous-on-the-fly-group?


  • Banned

    @Phoenix:

    The floating tab is nice… but it quickly gets crowdy in there, when doing all the stuff in the floating tab. I have 50 interface Tabs, and no use for them?

    Yes. So first it sucks to use those 50 tabs and create tons of duplicate rules in there, and now it sucks to use one tab for the one single rule you wanted. Sigh. Perhaps you could actually decide on the point of your rants before you start ranting.

    @Phoenix:

    Having to maintain groups of ports if horrific, as there are virtually endless possibilities of port combinations, how about implementing a multi selection of ports in the rules edition

    Of course. A dropdown with 65K of items will absolutely rock!

    This debate is waste of time. Bye.


  • Rebel Alliance Global Moderator

    And again if you need to apply rules that apply to ALL interfaces be it IN or OUT - use the floating tab.

    "It is like having an intersection of 4 roads, you place the oneway sign on the road51 and road1, road2 … and road50 are forbidden to enter. You don't tell every single road."

    And in your example -- that is the entry point of road51..  You don't put signs on exit of 1 and 2 and 50 say you can not enter road 51.. Which is exactly what has been explained.

    I have been working on firewalls for years any years, all kinds juniper, cisco both pix and asa, checkpoint, etc..  And have never seen anyone ever put rules on exit of interface.  You put rules at where the traffic enters the firewall.  Why would you want the firewall to process the traffic, ie let it in - just to stop it as it goes to exit out another interface.

    But to solve your problem of having to put rules on all 50 vlans interfaces, you could use the floating tab.  And if you want to go actually use exit type rules then those can be setup on the floating tab.

    https://doc.pfsense.org/index.php/What_are_Floating_Rules

    But the proper way to do it, if you ask me be it you have 50 or 500 vlans is to create the rules you want on the actual vlan.



  • @johnpoz: I do firewalls myself for 15years - and sometimes I like to approach things anew and see if there is a better way. You might want to take a read at http://en.wikipedia.org/wiki/Dick_Fosbury to see what happens if you do that :)

    @dokotrnotor: As of now it is a dropdown of about 40 ports, I only suggested a multi selection, not the inclusion of all the possible ports. Considering that pfsense already uses dynamic pages, it would be perfectly doable to add several ports on the per rule basis as it is possible to do it in the alias section, same magic at a different place. Agreed, a 65k dropwdown sucks - and adding more to this list, by aliases of every possible used combination does not make it more readable.


  • Rebel Alliance Global Moderator

    I to like to take new approaches, when they make sense.. Filter after the traffic has entered your firewall is NOT one of those..  Your firewall has to do more processing, clearly that is not something anyone would want their firewall to do.

    Its like these users wanting to use nat reflection all the time..  Why would you want packets to transverse your firewall to just be sent back in, when the IP your hitting is plugged into the switch port next to yours.  Sending the traffic through the firewall makes no sense..

    But if you want your firewall to do more work - sure setup a rule on the floating to stop the traffic when it tries to exit, vs before its entered.


  • Netgate

    @Phoenix:

    You may also go one level deeper - I want to able to configure four (http,https,dns,ntp) specific ports that are allowed to initiate outgoing connections on the WAN interface. No matter from which interfaces they originate. In my perfect case, that would mean one rule on the WAN interface; as of now, that would mean 200 rules on a 50 ports firewall (one per port, right?).

    pf's philosophy on firewall rules is to block undesirable traffic before it enters the firewall.

    If that philosophy does not meld with how you want your firewall to work, it might just be that pfSense is not for you.

    You are free to create pass any any rules on all your interfaces then use floating rules on WAN direction out if that's what you want to do. (WAN out reject IPv4 any source any dest any dest port ! http,https,dns,ntp for a quick, incomplete example.)

    Just know that once traffic is allowed into pfSense, there is nothing stopping it from egressing any interface unless there's a floating rule specifically blocking its output.  So if you do the above and also have LAN+DMZ, you also have to block undesired traffic out LAN from DMZ, etc.

    For identical rules applying to multiple interfaces you have aliases, interface groups, and floating rules at your disposal.

    Yes, bringing up a 50-interface pfSense might involve some initial work.