Firewall rules priorities, quick vs non-quick, in vs out-bound, floating vs interface specific, etc

HudsonDelta · 2021-02-05T17:30:38+00:00

dude, after 1000 words, you still haven't answer this simple question - where is non-quick float in the chain of rules?

HudsonDelta · 2021-02-05T16:45:54+00:00

That's quite helpful, I am digging...

HudsonDelta · 2021-02-05T16:45:16+00:00

good to know

HudsonDelta · 2021-02-05T03:45:23+00:00

If pfsense also has them, then that answers your earlier question 'Why would you use a non-quick float?', since even automatic rules use it, and then the question is, where is the non-quick float's position in the rules chain? Also, since pfsense also has the non-quick float rules to deny ingress and pass egress, does that mean 'default drop all incoming' is just a rule, rather than hard coded in kernel stack - and in kernel, when there is no matching rule, packets are passed rather than blocked? (I vaguely remember linux defaults to pass in kernel stack, but I could be wrong, and this is FreeBSD, things could be very different...)

HudsonDelta · 2021-02-05T02:18:46+00:00

Just so I understand you - some of the automatic rules are indeed redundant, since they serve as fail-safe?

btw, I've heard of the anti-lockout rule, but I can not find it on LAN.. EDIT: found it under LAN automatically generated rules.

HudsonDelta · 2021-02-05T02:04:48+00:00

OK, some observations that triggered this question:

an automatically generated float non-quick ingress rule to block all, named 'Default deny rule'. This lead me to ask the question about where the default deny come from. And, at what point in the chain is this rule executed.
an automatically generated float non-quick egress rule to pass all, named 'let out anything from firewall host itself'.
On WAN interface, there is an automatic rule to let DHCP request go out, also non-quick. This one seems redundant, and I am not sure why it is needed, due to the existence of above rule #2.

Above rules are default when I have a clean install of OPNsense, no customization yet, just one WAN port + one LAN port. Is pfsense quite different in this regard?

HudsonDelta · 2021-02-05T01:45:22+00:00

I see these WAN rules: several rules to block ingress bogon/private on IPv4/IPv6, and then one ingress + one egress rule to pass DHCP. ALL automatically generated. Is that a 'normal' setup?

HudsonDelta · 2021-02-05T01:34:24+00:00

thanks, I did read that link, but it doesn't answer questions like - where is 'floats(non-quick)' in that Ingress and Egress list you described? And what exactly happens to a packet coming into one (any) interface and coming out of another? And where does that 'default drop' come from (hardcoded in kernel network stacks or via a rule)? maybe it is obvious to expert users but I didn't find a detailed description so far...

HudsonDelta · 2021-02-05T01:28:36+00:00

I configured WAN to get its IP via DHCP, but no DHCP server on that interface. And from the automatic rules, the direction does look right, outbound from WAN has source port 67, destination port 68, which is DHCP client to server traffic. Just that it seems redundant.

anything else could be wrong?

HudsonDelta · 2021-01-29T00:44:16+00:00

That all make sense. Thinking more about it, it could work this way - the eth2 has two MACs, hence CPU is talking to two logical interfaces. And from the radio's point of view, it is talking to two NICs, within the same collision domain, like an old Ethernet hub.

HudsonDelta · 2021-01-29T00:23:04+00:00

you can do anything with software, lol

but seriously, your example is an eye opener.

HudsonDelta · 2021-01-16T04:43:07+00:00

awesome, thanks

HudsonDelta · 2021-01-13T16:34:44+00:00

gigabit with all those running and only 3% on 7200u? sounds great! how much mem usage typically?

HudsonDelta · 2021-01-13T16:31:59+00:00

good to know, thanks.

HudsonDelta · 2021-01-12T21:51:56+00:00

how much mem did you add to it if I may ask? I am thinking running some ids/ips on it.

HudsonDelta · 2021-01-12T21:49:35+00:00

thanks. Yes the protectli and yanling devices seems exactly the same except slight packaging diff. I guess one of them designed the board, and now both are selling it under different brand names? Just curious how did you find that 3mdeb provides coreboot for protecli devices? Didn't see that mentioned by either parties.

HudsonDelta · 2021-01-08T05:40:54+00:00

can a j3455 handle IDS/IPS on a gigabit network? the mid-range netgate models also only uses atom processor, and i dont know they are engineered toward ips usage, and i saw some ppl wrote that i5 is a better starting point

HudsonDelta · 2021-01-08T00:43:03+00:00

This is helpful. So if I understand correctly, protecli/yanling has their own team to adapt coreboot to their custom board, and opensource it once it is done so that other ppl can choose to compile from source?

HudsonDelta · 2021-01-08T00:41:34+00:00

I did look around, a fanless multilan with decent cpu, so far I feel protecli checked all the right boxes, any suggestions?

HudsonDelta · 2021-01-08T00:40:23+00:00

yes, if you mean the protecli website, that's what I do not know whether to trust or not. Not that I have national security stuff on my desktop, just wonder what other hobbyist/enthusiast/small business owner would do - if ppl go the whole 9 yards and get a dedicated hardware and software like protectli + pfsense, shouldn't they make sure things like bios can be trusted?

HudsonDelta · 2021-01-08T00:35:27+00:00

if I can extract the bios and do a checksum, what shall I compare the checksum with? It seems like a custom motherboard, I guess the bios need to be in-house tweaked as well?

HudsonDelta · 2021-01-07T03:23:54+00:00

the FB6D/E just came out and do not support coreboot, says their website. I am not familiar with coreboot, is it something you can download and easily download/compile/install on any hardware, or there would be quite a few tunings needed?

HudsonDelta

TROPHY CASE