Home Network Guy Forum

Home Network Guy Website => How-to Discussions => Topic started by: Tanduvil on April 03, 2022, 02:57:28 PM

Title: Questions regarding Basic DMZ How-to
Post by: Tanduvil on April 03, 2022, 02:57:28 PM
Hello,

I have two quiestions regarding this article: https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense

First of all: what a great article, thanks so much for all your time and effort!

Regarding the second DNS-Block-Rule for Rogue users, if the destination of the "Allow DNS" Rule would be "This Firewall" instead of DMZ Address - would the DNS block rule then be obsolete?

Second question: For blocking the private networks, would it be possible to switch it, means creating a block rule for the private networks without the destination/invert? Or would it have a different impact?

Again, thanks so much!
Greetings from Germany :)

Chris
Title: Re: Questions regarding Basic DMZ How-to
Post by: Home Network Guy on April 03, 2022, 04:37:37 PM
Greetings! Germany is my second largest source of visitors!

Thanks for the compliments. I'm glad you found the information useful. It definitely takes time to produce the content. As for your questions:

1. The second rule is used to block all unencrypted DNS requests on port 53 -- both internally and externally. Since access to other networks should typically be restricted already (so you couldn't use DNS servers on other parts of your network unless you specifically allowed it), the second rule is more useful to block requests to external servers such as 8.8.8.8. The first rule is placed before the second rule so that you do not block your only allowed local DNS server (which is often the IP address of the network interface where the device resides). By default Unbound DNS listens on all interfaces so a network with the network address range of 192.168.30.1-192.168.30.254 will have the DNS server address of 192.168.30.1, which is the interface address.

2. I actually used to do just as you have suggested -- block the private networks without using an allow rule which has destination invert checked, but I also had a rule below the block rule to "allow all" so that access to the Internet would work properly. If you block private networks, you have to allow "all other" traffic which requires an allow all rule at the bottom of your rules. I saw examples of these 2 rules in a few places online so I used that for a while, but then once I learned more about firewall rules and saw some examples, I realized that you can combine those 2 rules into a single rule which is more elegant. Instead of "block private networks, allow all other networks (to allow Internet)", the rule in the DMZ guide essentially says "allow access to any network that is not a private network (which is the public Internet addresses").

When you have several local networks, it's easier to block all of the private networks and then add a rule above that to allow access to a specific service like DNS because you are less likely to forget to update a list of networks to block if you decide to add another network. It is a bit of a safeguard since it will keep everything appropriately isolated. If you want to open access, you have be intentional with the firewall updates (it's better to block by default than accidentally leave a hole in your firewall that may go unnoticed until it is exploited).

I hope these explanations help clarify the reason for those firewall rules.