I'm trying to reduce the amount of firewall rules for a bigger configuration with multiple networks,
and had the idea to put networks in shared overlapping zones.
From Single network interface in multiple firewall zones?
and own experiments i know that i can put a single lan only in excatly one zone.
When adding an interface to multiple zones like (stripped to relevant info)
config zone
option name 'wan'
list network 'wan'
config zone
option name 'internet'
option forward 'REJECT'
list network 'lan1'
list network 'lan3'
config zone
option name 'printer'
option forward 'ACCEPT'
list network 'lan1'
list network 'lan2'
config forwarding
option src 'internet'
option dest 'wan'
config forwarding
option src 'printer'
option dest 'lan-printer'
this will generate a nftable ruleset for forwarding like
chain forward {
[...]
iifname { "lan1", "lan3", } jump forward_internet
iifname { "lan1", "lan2", } jump forward_printer
}
chain forward_internet {
[...] # my internet rules here
jump reject_to_internet # reject packets and don't return
}
chain forward_printer {
[...] # my printer rules here
jump accept_to_printer
}
The problem is that traffic from lan1 will be rejected in forward_internet chain
and never reach forward_printer chain.
Also the same when setting option forward 'ACCEPT' then all rules in forward_printer chain
are bypassed, because the forward_internet chain has accepted the packets.
My proposal is to add a target 'RETURN' which omits the generation of the
jump reject_to_zone or jump accept_to_zone line.
With this change it will be possible to have overlapping zones with an interface being member of multiple zones.
If you already know this, it seems a bit odd that you have put lan1 into two zones. This certainly will not work.
Meanwhile, statements like the one below are not valid unless you have a lan1 zone.
This would allow a zone called lan1 (and the networks contained within that zone) to be forwarded to the internet. However, you cannot use a network name in the forwarding statements like this.
Instead, you can use a traffic rule that references the network and/or hosts by IP address or subnet (and you can include protocol and port numbers, too, if you want to have very granular control).
There are many methods by which you can architect your zones (and which networks are contained within each zone) as well as the more specific/granular allow/deny rules. Can map out the various allow/deny intents that you have? From there, we can suggest a strategy for zone assignments + additional rules.
1 Like
Sorry, i did a mistake when editing the example config,
The forwarding is
config forwarding
option src 'internet'
option dest 'wan'
config forwarding
option src 'printer'
option dest 'lan-printer'
I edited this in the original post, but nevertheless, the problem is still there.
Sure, it's possible to write rules which fullfill my needs, but they are more complex and hard to maintain.
At least with LUCI i can have only one source and one destination zone per rule.
I can add filters for IP but not for networks. With IPv6 i have the trouble with changing global prefixes i get from ISP.
Also this will multiply the number of rules with the number of networks.
In my case ~8 rules for >10 networks, when adding or removing a network i have to edit at least 8 rules instead of editing 1 zone.
At the moment i 'm generating the firewall config from xml input, but the resulting config has ~2000 lines. With overlapping zones it could be reduced to ~400 lines, with half of them for zones config
You can reduce the number of rules by optimizing your threat model.
Networks with similar threats can be assigned to the same zone.