OPNSense Firewall Rules

Since the transition to OPNsense was a bit bumpy for me at the beginning, I have now written a summary for those who have had the same experience. At the beginning I had to get used to the rule structure of the OPNsense, because I have only worked with other enterprise manufacturers so far.

Rules #

In order to understand the rules of the OPNsense firewall, we must first dive a little into the theory. The established rule structure runs through a certain principle which we see represented here:

We can therefore control the entire access of the source via the “incoming” traffic. This means that the traffic does not even flow into our firewall, but is directly blocked or allowed through. In special cases we can also control the outgoing traffic. This blog article is mainly about the incoming traffic and how to handle the rules.

The traffic runs through the set rules from top to bottom. If a rule applies to a device/network, it is automatically applied (unless the default settings have been changed). Rules that come after this rule (match) are ignored! This is very important to know, otherwise it will lead to a wrong setup of the order. This can destroy the rules that were set up with a lot of effort. To visualize the whole thing better, I have created a schematic representation here as well.

Of course, we can also remove the default setting I just mentioned, called “Quick”.

If we uncheck “Quick”, we can also move the rule down and it will be applied to the particular source. This is very important to know in case we as an administrator plan to create a different rule structure, like maybe from other well-known firewall vendors. However, you should always come up with a description for a rule. This will save a lot of time and nerves in later configuration processes.

Sources:

1. OPNSense Docs: https://docs.opnsense.org/manual/firewall.html