Feature #4165
closed
Allow for security zones when defining interfaces and firewall rules.
Added by Ryan H over 9 years ago.
Updated about 1 month ago.
Description
I have experience using CheckPoint and PaloAlto appliances with "zone" features. This allows you to group networks\interfaces into security zones. These zones can be trusted, untrusted, vpn, etc... Instead of needing to block all additional trusted zones from your DMZ network when your intent is to allow traffic to the internet only, you can set the destination zone in the rule to "external" or "untrusted" resulting in the same policy but with a single rule. This makes policy creation and management much simpler while ensuring tight security and intended behavior. I know pfSense allows you to group interfaces and manage them in one common rule set, but the idea of zones is different and quickly being adopted across the industry. It closes up leaks that are commonly overlooked.
Files
- Category set to Rules / NAT
This is such an important feature request because from what I have seen in the community there is loads of confusion with PFSense access rules. PFSense please take a look at this forum thread to understand why security zone standards will make more sense just like SonicWALL, Checkpoint, Palo Alto, and Fortinet. https://forums.lawrencesystems.com/t/pfsense-rules-confusion/457
- Status changed from New to Rejected
With the use of interface groups and/or aliases, the same functionality is possible (and more flexible). This is even easier now that #14448 has been implemented. The confusion referenced on the forum link stems from the assumption that "WAN net" means "internet" - this should hopefully be a bit clearer now that the macro description is "WAN subnets".
Marcos, is there supporting documentation for this incoming? This is a much-needed feature to get that zone-esque time of set up thats the norm today. I would like to read up more on this.
Marcos M wrote in #note-3:
With the use of interface groups and/or aliases, the same functionality is possible (and more flexible). This is even easier now that #14448 has been implemented. The confusion referenced on the forum link stems from the assumption that "WAN net" means "internet" - this should hopefully be a bit clearer now that the macro description is "WAN subnets".
Hello Marco M:
This is what I am trying to do and so many other people with PFSense. I will list a few examples.
Zone and destinations.
VLANS TO AND FROM
LAN TO WAN
WORKSTATION TO WAN
SERVERS TO WAN
VMHOST TO WAN
MANAGEMENT TO WAN
The ports I allow go to from those zones to Wan do not affect local traffic, only the internet.
Local zone-to-zone traffic
LAN TO SERVERS with limited ports only
WORKSTATION TO SERVERS with limited ports only
MANAGEMENT TO ALL ZONES with limited ports only
We can already do this with about any commercial-grade Firewalls as this has become a known standard among them.
Marcos M wrote in #note-3:
With the use of interface groups and/or aliases, the same functionality is possible (and more flexible). This is even easier now that #14448 has been implemented. The confusion referenced on the forum link stems from the assumption that "WAN net" means "internet" - this should hopefully be a bit clearer now that the macro description is "WAN subnets".
Via the screenshot, we want to control from to network and then just add the rules inside.
Though there's plenty of related documentation and resources already, it'd be helpful to have something for this type of configuration in particular. It may be some time, but I'll try to come up with something.
Marcos M wrote in #note-7:
Though there's plenty of related documentation and resources already, it'd be helpful to have something for this type of configuration in particular. It may be some time, but I'll try to come up with something.
In terms of a UI addition, or documentation specifically for this use-case, or both? I am trying to wrap my head around pfSense's model coming from VyOS' zone firewall and it is difficult to me to know exactly the best approach. Even just a quick pointer in the right direction would be helpful right now. I could see how using floating rules with alias' would be one approach to this, but it feels like that could become a Bad Idea™ pretty quickly.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
