copy reverse in firewall?

tomislav91 · September 16, 2022, 7:59am

This is more request rather than a problem.
Please add copy reverse option when do some nats. That would be very helpful

rextended · September 16, 2022, 8:55am

This is not the correct way to make requests.

But what exactly are you talking about anyway?

tomislav91 · September 20, 2022, 11:49am

like anyother firewall has.
If i make rules in both directions, ussualy i will copy rule and change source/destination IP, but it'll be better to have copy reversed to reverse source and destination IP.
not only in NAT rules, also in FILTER, logic is the same.

anav · September 20, 2022, 12:23pm

No your logic is flawed.

A rule is one way on purpose!
If I allow the admin on one vlan, access to a shared printer on another vlan, that means I am allowing traffic ORIGINATING from the admin to access the printer, as desired.

I DO NOT WANT the printer being able to originate and reach the admin as a default rule of any sort. BAD BAD BAD.
Most admins like the concept of BLOCK ALL and only allow traffic the specific explicitly allows.

ALso do not get confused, when I say a one way rule this means the return traffic from the originating request is passed back to the originator. One does not need a return firewall rule to allow the answer to get back to the originator. Its all considered the same session!! The key is where is the traffic originated and where is it going to!

rextended · September 20, 2022, 4:02pm

I just check some toys from tenda, zyxel, dlink and tplink, no one have that option…
“anyother” for me, at this point, not exist.

I do not remember that option on Cisco…

In all these years that I have been working, it has never helped me to copy the reverse(¹)… of something, also because “on the contrary” would not make sense or would be useless …

Sob · September 20, 2022, 4:07pm

Just to complete @anav’s answer, return traffic works automatically if you have stateful firewall (which is generally good idea), i.e. you allow established connections with connection-state=established,related.

tomislav91 · September 20, 2022, 5:58pm

try on FortiGate
Clone Reverse is the option name.

rextended · September 20, 2022, 7:24pm

FortiGate != “anyother”

anav · September 20, 2022, 8:21pm

OMFG, you can copy firewall rules ( not that hard to switch in interface to out interface or src-address to dst-address etc…)

Jotne · September 21, 2022, 4:58am

Clone Reverse are not some thing you need to do to make the firewall work. It would be interesting and see you fortigate firewall if you have done that for all your rules???
Its just like anav writes, an option for you to save some click if you need a revers rule to be created.

Reading the manual do help:
https://docs.fortinet.com/document/fortimanager/6.2.0/new-features/16032/clone-reverse-policy#:~:text=To%20Clone%20Reverse%20a%20Policy,also%20switched%20with%20each%20other.

tomislav91 · September 21, 2022, 7:30am

No your logic is flawed.

A rule is one way on purpose!
If I allow the admin on one vlan, access to a shared printer on another vlan, that means I am allowing traffic ORIGINATING from the admin to access the printer, as desired.

I DO NOT WANT the printer being able to originate and reach the admin as a default rule of any sort. BAD BAD BAD.
Most admins like the concept of BLOCK ALL and only allow traffic the specific explicitly allows.

ALso do not get confused, when I say a one way rule this means the return traffic from the originating request is passed back to the originator. One does not need a return firewall rule to allow the answer to get back to the originator. Its all considered the same session!! The key is where is the traffic originated and where is it going to!

I am not telling you about traffic that is not required, what about computers in the managed server computers group, where it must initiate conversation with each other (for load balacing information sharing for example), and what if there is no internal routes for that kind of traffic (if both server are inside or outside the dmz segnment)? Bi-directional rule is needed than.

tomislav91 · September 21, 2022, 7:32am

Sorry fortigate guru

You can close this thread, mikrotik firewall forever!!!

tomislav91 · September 21, 2022, 7:34am

sorry i didnt mean for exclusive leaders firewall devices like tenda, zyxel, dlink and tplink My mistake

rextended · September 21, 2022, 7:38am

I don’t know if you get it, but I’m not disputing whether the option is useful or not (probably can be useful, why not…),
but the fact that since ONE brand has this option (on one model or on all, no matter),
when you use any other brand you can’t find it, so you can’t talk about “anyother firewall”…

anav · September 21, 2022, 11:26am

As I stated, it wont happen on MT routers because they allow you to do that already by the ability to copy any rule.
The diifference is MT doesnt assume its necessarily the interfaces you want to switch out as feeblegate does.
What if its dst address or src address or a firewall address list etc… Since MT has more options than fortishit, it would make little sense to reverse clone.

Don’t get me wrong, if there is some functionality that would be helpful I am all ears, personally I like zyxels ability to do hairpin nat with a check box LOL.
However I had no clue what that checkbox actually did. With mikrotik you have to learn and understand packet flow so as to address the issue, so in the end I am better for it not being automated as the skills learned are transferable to other situations outside hairpin nat.