What’s the best firewall practice in your opinion in a scenario like this?
Server 192.168.10.10 (VLAN 10) have to communicate with the whole VLAN 20. VLAN 20 doesn’t need to communicate with VLAN 10 (but still the returning traffic has to reach the server).
I’m asking about the router viewpoint (CPU usage, best performance, the fastest way).
Is it better to use address list for VLAN 20 or use the network 192.168.20.0/24 directly in rules? The list would contain only this subnet and nothing more.
Is it better to use or not to use negation in rules? You can accept established and related connections or drop this two negated.
Is this question really a thing or the differences are negligible and it’s more like “what’s more comfortable for me”?
It’s a theoretical question and the presented scenario is just an example.
Your question is weird to start with.
A server is a server why are you suggesting that its acting like a user and initiating traffic to all of vlan20. Its the reverse!!
Lets say the server is on vlan10.
add action=accept chain=forward in-interface=vlan20 dst-address=serverIP (if you wanted but not necessary add out-interface=vlan10 all of vlan20 user are servers and the server is initiating traffic??
More typically like a shared printer all need access in which case. add action=accept chain=forward in-interface-list=LAN dst-address=PrinterIP.
This all assumes your last rule in the forward chain is a drop all else rule.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
For two or more subnets use INTERFACE LISTS.
(Exception, trusted or management interface could be only one subnet.)
To describe single subnets use subnet nomenclature 192.168.X.0/24
Address lists should be used when you have less than a full subnet of users, or users from various subnets that need to form a list either by themselves, or even in combination with whole subnets.
You are right, the term “server” might be confusing, but what I mean is a larger spectrum od devices which initiates traffic (like NVR’s or computer with software from which you send/synchronize rights with controlers to open the doors in a RFID control system for example; you can also have running a software/service which scans your network with SNMP on a “server” and it also initiates traffic (like zabbix), etc.).
We can go deeply into this and I can use more examples, but it’s definitely not the point for me in this question.
Thank you for your response, it’s the way I was thinking about address lists.
And what about other questions:
2) Is it better to use or not to use negation in rules? You can accept established and related connections or drop this two negated.
In other words - you can accept established and related or accept negated new, untracked and invalid. Is there a difference (still asking about router point od view)?
3) Is it better in general to use less rules and address lists? (I believe I know the answer and Anav post did confirm that, but maybe someone has another thoughts?)
Regarding the requirements… thanks for the explanation. I certainly don’t want any device communicating to users directly ( only if queried ). It seems as if you have unique setups where this occurs and thus formulate the rules as necessary.
In terms of questions…
Its always better to be clear and precise and avoid extra or “cute” ways of configuring rules.
Hence:
Use drop rules at end of input chain and forward chain. This allows the admin to focus and only be concerned with the actual requirements ( and the admin accept rules ). Traffic that needs to flow for users and devices. The rest of the traffic, we need not be concerned about because its dropped. Clean easy, secure.
Dropping traffic or use of the everything but symbol (negation) !, has its place as does mangling and other tricks but only when necessary.
Thanks Anav.
I’m aware about things mentioned in point 1), it’s the best and most secure habit.
About point 2) - understood, but… I have a firewall configuration done by someone else, which is rather open and doesn’t have a drop everything else rule at the end. We are talking about network built of almost 40 VLAN’s running in a daily routine in a company working 24/7. I cannot simply put that drop rule and fix “something” in a short time - it would be catastrophic and chaotic. I would stop some production processes on machines which are generating money for the company. It would burn my ass like hell
So I’m doing it in smaller pieces, one VLAN at the time and waiting for possible calls and traffic I’m not aware of.
In this situation and using the example from the first post, I need to add 3 firewall rules:
accept forward from 192.168.10.10 to whole VLAN 20 subnet,
accept forward from VLAN 20 to 192.168.10.10 (only established and related),
drop everything which dst. address is 192.168.10.10.
And I’ve “discovered” that I can do it with only two rules:
accept forward from 192.168.10.10 to whole VLAN 20 subnet,
drop everything which dst. address is 192.168.10.10 besides established and related connections (and here logically for me is to use negation in the rule - negation which is the same as word “besides” in the sentence but of course I can drop new, untracked and invalid and get the same result).
What I want to know is to establish what is better for the router - I can do it in 3 ways. And all will work out. Administrator is clear
But if we are talking about 40 VLAN’s and a lot of this kind of connections… Bad behavior can affect performance of the router and the whole network. At the end I will add the “drop everything rule” and clean out firewall but at this point… It is what it is.
are both perfectly acceptable, its up to you how many conditions you want to set. For example if you are afraid of some sort of spoof or hack, the more conditions make that harder.
the second rule says, the traffic has to come from the vlan interface and be 192.168.10.10 whereas the first rule only sais the traffic has to come from 192.168.10.10.
This is where I fail to see why you are getting “CUTE”. You should know that if you make a firewall rule allowing .10 to vlan20, then any return traffic is permitted.
Is there a problem in that you dont want return traffic???
To make it clear, setting a rule from .10 to vlan20, does not allow vlan20 users to originate traffic to .10.
Again you are adding complications that may not be necessary.
You are on the right track.
a. identify all the traffic that NEEDS TO HAPPEN ( a much smaller set than trying to figure out what needs to be blocked ).
b. start adding these rules in, no harm no foul as allowing stuff doesnt break anything.
Use A flow diagram for each department to detail what each user in that department needs for traffic, Probably few individual needs and mostly group needs.
Once you have the diagrams, then you can translate that into firewall rules
any traffic from one vlan to another vlan will need a rule,
could be one user (src-address), group of users (src-address-list) or a whole subnet etc…
A good example of a common rule is internet access. Lets say you have 40 vlans and 10 dont need internet access.
Your best rule for two or more groups of subnets (aka vlans) is interface lists.
So make a list called INTERNET
If it was only one subnet that should not have internet, an interface list for internet is probably not required as one could do.
add chain=forward action=accept comment=“net traffic” in-interface-list=LAN out-interface-list=WAN src-address=**!**SingleSubnet
Okay, I’m going back after some testing and thinking.
Let’s start with this again:
accept forward from 192.168.10.10 to whole VLAN 20 subnet,
accept forward from VLAN 20 to 192.168.10.10 (only established and related),
drop everything which dst. address is 192.168.10.10.
I’m not sure why I wrote the 3rd point this way so let’s change it:
accept forward from 192.168.10.10 to whole VLAN 20 subnet,
accept forward from VLAN 20 to 192.168.10.10 (only established and related),
drop everything which dst. address is 192.168.10.0/24 (so the whole subnet).
And now:
3) This rule is just “drop everything else” rule, but only for this subnet, vlan10. For now, in the future all these will be deleted because of one rule for all vlans.
When I add “drop everything which dst. address is 192.168.20.0/24 (vlan20)” rule, the .10.10 cannot reach nothing in vlan20. That’s why I use a rule “accept forward from VLAN 20 to 192.168.10.10 (only established and related)” - for return traffic. It doen’t work without this rule. I don’t use NAT in inter-vlan routing. I don’t have a rule somewhere at the top of firewall which is accepting every established and related connections - but I will think about it. I didn’t do so earlier but… How was it? “One rule to connect them all”? It’s an attractive idea
The whole firewall default rules (or some of them) were deleted in the past, if accept established and related was there by default - I didn’t have it. But now I have and don’t need to be “CUTE” in rules anymore.
