OPNSense Firewall Rules Explained

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Never though my video will end up here, he he)

Thank you for sharing.

👍︎︎ 6 👤︎︎ u/yaroslav_gwit 📅︎︎ Jan 26 2021 🗫︎ replies
Captions
hello and welcome today i'm going to show you how to deal with firewall rules on opnsense this video will cover lan van and floating rules so gather around gravity or coffee and let's begin in mid 2020 i released a video on how to deal with firewall rules on pfsense then over time few knowledgeable folks left some comments on what could be improved in that particular tutorial and now this video will include all these improvements i'll be using three vms in this video two debian vms and one opn sense vm to control the traffic and you can see the text representation on what's going to be used on this slide and if i switch to the next page here you have a visual representation of the network we have the internet and events section then we have our opnsense firewall with the address of 16401 and then we're gonna have two lan networks lan one network and debian vm1 with the address of 192.168.10.1 and lan 2 with debbie nvm2 and the address of 192.168.20.1 before we start adding any rules to our firewall let's talk about the rule action types there are pass block and reject actions available on the op-sense firewall and if you look at the next diagram with role action types pass action will allow traffic to pass block will silently drop the traffic which is useful in scenarios where interface is directly connected to the internet so let's say if an attacker or someone with malicious intent will knock on the doors of our firewall the traffic will be silently dropped and the firewall will not respond to the offender and it will look like nothing is listening on that particular ip at all and finally the reject action drops the traffic and notifies the sender that it was dropped it is quite useful in lan networks and when you want to troubleshoot anything because it will help you realize that there is a firewall rule blocking your traffic now let's move on to the opnsense web ui and let's start doing things first things first go to firewall aliases and let's create a private networks alias you'll get why this is important just in a second now let's add a new alias let's call it private ranges type would be networks and for content we're gonna have 10.0.0.8 next up is 172 1600 12. and the last one is 192.168.0.0.16. we need statistics we don't need any description because private ranges is pretty self-explanatory now save and don't forget to hit apply over here when this is applied go to firewall rules and then choose one of your lan interfaces as you can see right here i have a wide open rule for both of my lan networks and my debian vms are able to talk to each other just fine if i ping 192.168.10.1 which is this machine over here it's responding and then if i ping 192.168.20.1 which is this machine over here the machine is responding just fine now let's remove both rules and let's apply the firewall settings and this is just to show you that my machines will not be able to talk to each other anymore so this cannot talk to that one and this one cannot talk to the other one okay now let's start adding some sensible firewall rules for our machines to be able to talk to each other um the first rule i want to add is to allow the internet so the action would be pass quick will be enabled interface lan 1 direction in tcp ip version ipv4 in my case protocol any source any destination any i don't want to log the packets because this is going to be a general rule category i want to say allow internet and then i'll put in the same thing for the description source os any schedule none gateway default and let's save it then apply the changes switch back to our vms this vm at the bottom is in lan 1 network and now we are able to ping the other vm and we're going to be able to ping google just like that so we have access to the internet but as you can see at the moment it is more than just internet this vm is able to talk to the vm in lan 2 network and it's not desirable to have a rule wide open like that so we're going to add another rule this time the action will be reject interface lan 1 direction in protocol any source any and then destination will be private ranges i want to log the packets then category i want to say reject private ranges i want to include the same thing for the description hit save and now our rule will be added but it will not be active because we need to move it at the top of the list and if you hover over this arrow you can see the pop-up notification which says move selected rules before this rule and we want to do exactly that so mark our private ranges rule and click this button now click apply changes and now if we switch to our vm we cannot ping google and we cannot ping our 21 machine this is because our firewall and our lan 2 network lies within the private ranges network and everything in that range is blocked but we will be able to ping 8.8.8.8 just fine we are not able to ping google because we are not able to reach our internal dns server so let's add a rule that will allow our dns server to function action would be pass quick enabled interface lan direction protocol would be udp destination would be this firewall and the destination port range would be dns which is just here for the category and description i'll say allow dns i'll hit save and apply changes so i need to move this rule before the private ranges and let's apply the changes switch back to our debian vm let's ping 888 it's pinging and let's bring google and voila it's pinging as well so we have internet access right now but if you would want to go and access our vm on the other network land2 it's still not able to reach there now let's say this is our trusted network and for troubleshooting purposes we want to allow ping to the firewall action would be pass quick enabled interface lan direction in protocol icmp icmp type any and then the destination would be this firewall i want to log the packets category i'll say allow ping for the description i'll say allow paying to this firewall and then just hit save move the rule to the top apply the changes and now we're going to be able to ping our firewall now all these four rules you see in front of you they are standard rules for any land network out there this bottom rule will allow the internet the next rule up will reject any access to private ip ranges that will help you contain things like iot devices so fridges tvs things like that guest devices and you can probably think of a whole bunch of other devices that sit on your network which needs this kind of filtering next rule up will allow the dns access to this firewall so if you are using the internal unbound resolver this rule is necessary for any of your internal clients to work with dns and the top rule will allow the ping to the firewall because if i disable it and apply the changes then let me switch back to our debian vm and then if you ping the gateway it will seem like the gateway is down when in fact it's not so if you're really paranoid or this is a gassed or untrusted network then maybe disable ping to the firewall and dns access and then in the dhcp settings just include one of the public dns servers but because i do trust clients in this network i'll re-enable the rule and i'll apply the changes now let's say we really want to access our 20.1 vm and it is not possible at the moment in that case just switch back to our firewall add a new rule action would be pass quick enabled interface lan direction in protocol any and the destination would be land to net i want to log the packets why not category will be allow access to lan 2 description will be just the same let's save and move this rule to the top and let's apply the changes now switch back to our debian vm and ping is working to our dot 20.1 and keep in mind because we didn't do any changes to lan 2 network this machine is still not able to talk to any resources on the internet or on the inside of the firewall now that we got all these rules in place let's switch back to the diagram and see what actually happens on the back end as i previously showed by example rules on the opns firewall have a particular order the traffic goes from top to bottom checking every rule and once it finds the match it will apply the certain rule that you left in the list for example on the left we have a wrong order for the rules and on the right we have the right order for the firewall rules on the left our allow from any to any stays first in the list and it will be applied to any traffic passing through the firewall so these three rules at the bottom they will be just ignored and any traffic will be allowed whereas on the right side we have the right order for the rules because any traffic that will try to hit 10.0.0.8 networks it will be rejected land 2 will be rejected dmz 1 will be rejected and then anything else will be allowed and this is how it will always work especially on pfsense but on opnsons though there is one flag that can turn this all around let me show you if we switch back to our firewall and let's edit one of the rules we have the quick action over here rules can either be set to quick or not set to quick when set to quick the rule is handled on first match basis and in this case you'll have a usual top to bottom approach but when quick is not set last match wins this can be useful for general purpose rules which defines standard behavior as an example i prepared this next diagram so we have a wide open allow from any to any rule but quick option is not set on it so when the traffic comes in it will actually check the quick rules first so reject reject reject and then if it will not match any one of these rules it will go back and check the non-quick rules let's switch back to the opn sense ui and let's test this out so i want to disable all this because it will interfere with our testing then what i want to do is move our wide open allow rule to the top and i want to remove the quick option from it let's hit save and let's apply changes now let's switch to our debian vm as you can see i'm not able to ping dot 20.1 and i was able just a second ago i'm not able to ping the gateway and i'm not able to resolve any dns names now if you want to allow access to this firewall and dns let's apply these changes switch back ping google working just fine but if i want to ping 20.1 vm which is over here nope i'm not able to so let's enable our access to lan2net that was enabled and now i'm able to ping our land2 network now that we have our quick option covered let's move on to the next diagram which is rules direction on opnsense inside of your firewall rules you're gonna have two directions incoming and outgoing and my personal opinion on this is don't ever touch outgoing interface rules at all unless you know how pf works by itself and you know what you are doing because it can come back and bite you in an act very easily opin sense will be filtering by default on the incoming and by default everything is blocked so that's why we have to allow any traffic to pass the firewall because if i switch to opnsense and edit one of the rules you can see the direction that the rule is going to use and in this section always use in unless you know what you're doing or unless it's a van role which we're going to touch on just in a minute now let's say we want to copy all of these rules over to the lantu network and there is an easy way to do so just click on the clone button on any rule you want to pass over to another interface and switch the interface now our role is over atlant2 network and let's clone all of the other rules we have in here interface lan 2 but the destination would be lan one because we want access from land2 to lan one whoops my bad i just need to change the category and the description save okay that looks good enough to me and just to make this last confusing to allow the internet access you've got two approaches you can take either set quick and move the rule to the bottom of the list so this button will actually move it to the very bottom apply the changes or as we have in lan 1 move it to the top of the list but remove the quick option either approach works just fine but in my opinion this looks a little neater where you have all of the allow rules and then all of the reject or block rules now that you know how to manage lan rules let me show you how to deal with when rules switch to the floating interface and let's take it from here if you a need to manually add a then firewall rule i would imagine it would be for something like http access or https access i mean management access to the opns firewall or maybe ping or ssh because otherwise i cannot think of the scenario where this is going to be required because when you set up a new netport forwarding it will create a firewall rule for you automatically so there is no need to create another rule manually but remote management access for the firewall is still a big i mean huge use case so i would want to cover it here previously we were adding rules for each interface but that only works for lan rules in opn sense for some reason any van rule that you would be tempted to add to any of the van interfaces it will be ignored for some reason and i never actually researched why is that this way i just know that only floating section works if you want to add a manual van access rule and this would be interesting to someone who has a firewall at location a and he wants to access it from the location b and what i've got here is two rules to be able to access port 80 and 443 they are exactly the same just the port is different so if i edit one of them the action would be pass quick is enabled for the interface you can choose multiple van interfaces if you have to direction would be in or any depending on the protocol usually i'll go with any just to be on the safe side tcp ip version is ipv4 protocol tcp then destination is this firewall then i choose the destination port range i want to log the packets category i put management access and description http access to the firewall just hit save and apply changes you can clearly see that this is a van i p and firewall allows me access on it just because i added two rules to a floating section that's it for the firewall rules but i have three small things that will make your life as a opn sense administrator much easier first you need to know a command p f ctl minus d it will disable firewall and nat on the opn sense so for example imagine the scenario where you locked up yourself because you've entered a wrong password too many times or you deleted a anti-lockout rule and now you cannot access the firewall management page in that case walk up to a firewall physically connect it to a screen log in and issue the command pf ctl minus d it will disable the firewall so then you'll be able to open up a browser and add some more firewall rules to allow you access just keep in mind that when pfctl minus d is active any of the clients on your network will not be able to access any resources because pf is responsible not only for the firewalling but also for nat so no one will be able to go to the internet second hint i have for you is the rules category remember when we were setting up the rules we set up the category for each rule well if you go back and click on select the category we can now click on allow ping and it will filter down everything that's in allow ping category and if you click it again it will remove the filter this is going to be really useful for someone who's managing a firewall with 100 or more firewall rules because this will filter down the majority of them and you will be able to look at what interests you and the third hand i have for you always and i mean always leave the rule description because i found myself too many times in a situation where i log into the firewall someone did not live the description on the rule and i do not understand why it's there in the first place but even if you added the rule yourself and you didn't touch your firewall for a few months you might forget what it's there for so always use the rule description that's it for this video please like sub and share if you're interested in helping out our channel directly there is a paypal donation link down below special thank you to all the people listed up there they are an active supporter of our channel and they help to deliver this content to all of you guys thank you very much for watching and i'll see you in the next one
Info
Channel: Gateway IT Tutorials
Views: 18,417
Rating: undefined out of 5
Keywords: opnsense, firewall
Id: kYFNa_zpeII
Channel Id: undefined
Length: 23min 16sec (1396 seconds)
Published: Thu Jan 21 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.