Project

General

Profile

Actions

Feature #4165

closed

Allow for security zones when defining interfaces and firewall rules.

Added by Ryan H almost 10 years ago. Updated 9 months ago.

Status:
Rejected
Priority:
Low
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
12/31/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

I have experience using CheckPoint and PaloAlto appliances with "zone" features. This allows you to group networks\interfaces into security zones. These zones can be trusted, untrusted, vpn, etc... Instead of needing to block all additional trusted zones from your DMZ network when your intent is to allow traffic to the internet only, you can set the destination zone in the rule to "external" or "untrusted" resulting in the same policy but with a single rule. This makes policy creation and management much simpler while ensuring tight security and intended behavior. I know pfSense allows you to group interfaces and manage them in one common rule set, but the idea of zones is different and quickly being adopted across the industry. It closes up leaks that are commonly overlooked.


Files

sonicwallsetup2-1.png (36.2 KB) sonicwallsetup2-1.png Durwin Babb, 11/02/2023 06:08 PM
090210531592025.png (108 KB) 090210531592025.png Durwin Babb, 11/02/2023 06:12 PM
Actions #1

Updated by Chris Buechler almost 9 years ago

  • Category set to Rules / NAT
Actions #2

Updated by Durwin Babb about 1 year ago

This is such an important feature request because from what I have seen in the community there is loads of confusion with PFSense access rules. PFSense please take a look at this forum thread to understand why security zone standards will make more sense just like SonicWALL, Checkpoint, Palo Alto, and Fortinet. https://forums.lawrencesystems.com/t/pfsense-rules-confusion/457

Actions #3

Updated by Marcos M about 1 year ago

  • Status changed from New to Rejected

With the use of interface groups and/or aliases, the same functionality is possible (and more flexible). This is even easier now that #14448 has been implemented. The confusion referenced on the forum link stems from the assumption that "WAN net" means "internet" - this should hopefully be a bit clearer now that the macro description is "WAN subnets".

Actions #4

Updated by Mike Moore about 1 year ago

Marcos, is there supporting documentation for this incoming? This is a much-needed feature to get that zone-esque time of set up thats the norm today. I would like to read up more on this.

Actions #5

Updated by Durwin Babb about 1 year ago

Marcos M wrote in #note-3:

With the use of interface groups and/or aliases, the same functionality is possible (and more flexible). This is even easier now that #14448 has been implemented. The confusion referenced on the forum link stems from the assumption that "WAN net" means "internet" - this should hopefully be a bit clearer now that the macro description is "WAN subnets".

Hello Marco M:

This is what I am trying to do and so many other people with PFSense. I will list a few examples.

Zone and destinations.

VLANS TO AND FROM

LAN TO WAN
WORKSTATION TO WAN
SERVERS TO WAN
VMHOST TO WAN
MANAGEMENT TO WAN

The ports I allow go to from those zones to Wan do not affect local traffic, only the internet.

Local zone-to-zone traffic

LAN TO SERVERS with limited ports only
WORKSTATION TO SERVERS with limited ports only
MANAGEMENT TO ALL ZONES with limited ports only

We can already do this with about any commercial-grade Firewalls as this has become a known standard among them.

Actions #6

Updated by Durwin Babb about 1 year ago

Marcos M wrote in #note-3:

With the use of interface groups and/or aliases, the same functionality is possible (and more flexible). This is even easier now that #14448 has been implemented. The confusion referenced on the forum link stems from the assumption that "WAN net" means "internet" - this should hopefully be a bit clearer now that the macro description is "WAN subnets".

Via the screenshot, we want to control from to network and then just add the rules inside.

Actions #7

Updated by Marcos M about 1 year ago

Though there's plenty of related documentation and resources already, it'd be helpful to have something for this type of configuration in particular. It may be some time, but I'll try to come up with something.

Actions #8

Updated by Ryan S 9 months ago

Marcos M wrote in #note-7:

Though there's plenty of related documentation and resources already, it'd be helpful to have something for this type of configuration in particular. It may be some time, but I'll try to come up with something.

In terms of a UI addition, or documentation specifically for this use-case, or both? I am trying to wrap my head around pfSense's model coming from VyOS' zone firewall and it is difficult to me to know exactly the best approach. Even just a quick pointer in the right direction would be helpful right now. I could see how using floating rules with alias' would be one approach to this, but it feels like that could become a Bad Idea™ pretty quickly.

Actions

Also available in: Atom PDF