Project

General

Profile

Actions

Feature #8140

closed

Feature Request: Zone Firewall between interfaces

Added by David Summers about 7 years ago. Updated over 5 years ago.

Status:
Duplicate
Priority:
Very Low
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
11/27/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Zone Firewalls are very powerful and solve a lot of the current problems with firewalls using the current non-Zoned firewall on PfSense.

Currently, I have to use other routers (open-source VyOS or other commercial routers) to be able to do zoned firewalls between interfaces.

Currently, it is very difficult to set up firewalls between interfaces and get everything correct and the complexity increases the more interfaces there are.

If this feature were available on PfSense then I could consolidate multiple routers into one.

Of course, it should work the same on IPv4 and IPv6 (hopefully that goes without saying, but I just wanted to be explicit to make sure it was considered).

Actions #1

Updated by Jupiter Vuorikoski over 6 years ago

It is high time to move away from interface-based firewalling and move to zone-based firewalling. Zone-based firewalling is the only sane way forward where routing and functions are consolidated into a single device instead of having a dedicated firewall between each segment. Modern hardware has enough memory and CPU power to handle the traffic for multiple segments and defining rules between logical segments is the only way to keep the rules from getting out of hand and free of configuration errors.

This needs to be implemented yesterday and with a very high priority. While most use-cases are for people who dont even understand why segmentation needs to be done, those who do things correctly suffer from the inability to manage rules in a sane way. The cisco ASA-esque logic shouldve died a painful death a decade ago everywhere.

Actions #2

Updated by Tony Fortes Ramos over 6 years ago

I have to agree with the OP and Jupiter. I really am running agains this limitation with multiple IPv6 addresses per subnet. Especially when one of this is a dynamic prefix assigned by the ISP.

Actions #3

Updated by Jim Pingle over 5 years ago

  • Category set to Web Interface
  • Priority changed from Normal to Very Low
Actions #4

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Duplicate

Duplicate of #4165

Actions

Also available in: Atom PDF