Feature #8140
closed
Feature Request: Zone Firewall between interfaces
Added by David Summers almost 7 years ago.
Updated over 5 years ago.
Description
Zone Firewalls are very powerful and solve a lot of the current problems with firewalls using the current non-Zoned firewall on PfSense.
Currently, I have to use other routers (open-source VyOS or other commercial routers) to be able to do zoned firewalls between interfaces.
Currently, it is very difficult to set up firewalls between interfaces and get everything correct and the complexity increases the more interfaces there are.
If this feature were available on PfSense then I could consolidate multiple routers into one.
Of course, it should work the same on IPv4 and IPv6 (hopefully that goes without saying, but I just wanted to be explicit to make sure it was considered).
It is high time to move away from interface-based firewalling and move to zone-based firewalling. Zone-based firewalling is the only sane way forward where routing and functions are consolidated into a single device instead of having a dedicated firewall between each segment. Modern hardware has enough memory and CPU power to handle the traffic for multiple segments and defining rules between logical segments is the only way to keep the rules from getting out of hand and free of configuration errors.
This needs to be implemented yesterday and with a very high priority. While most use-cases are for people who dont even understand why segmentation needs to be done, those who do things correctly suffer from the inability to manage rules in a sane way. The cisco ASA-esque logic shouldve died a painful death a decade ago everywhere.
I have to agree with the OP and Jupiter. I really am running agains this limitation with multiple IPv6 addresses per subnet. Especially when one of this is a dynamic prefix assigned by the ISP.
- Category set to Web Interface
- Priority changed from Normal to Very Low
- Status changed from New to Duplicate
Also available in: Atom
PDF