restrict Tor allow-rules to WAN-outbound traffic only #520
Comments
cfm
changed the title
|
In general, I think we've tried to make the firewall rules as explicit as they can be, so that it's possible to reason about their interactions at the interface level, without needing to recall the firewall's default behavior (or trust that it hasn't been changed). However, I think you're right that we can further tighten the allow-rules for Tor to WAN-outbound traffic. I've retitled this ticket for this goal. Please let me know if I'm not fully responding to your suggestion here! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected behavior
Firewall rules are not redundant and as tight as possible.
Actual behavior
The rules for OPNSense firewall, App server network (interface OPT1) first block all traffic from OPT1 interface to LAN and OPT2 interface (rules 3 and 4 respectively), and later allow TCP traffic from OPT1 to all destinations (rule 5). Given that at this point the only remaining interface is WAN, and that OPNSense defaults to block unmatched traffic, wouldn't it be easier to drop rules 3 & 4 and tighten down rule 5 to only allow traffic to WAN interface? This would also help future-proofing in case of firewalls with more interfaces.
Additional information
There's a similar issue with OPT2 firewall rules.
The text was updated successfully, but these errors were encountered: