cfm
commented
8 months ago Thanks for raising this, @torinthiel. I believe the OPNSense rules you've highlighted here are consistent with the following abstract rules we suggest for any firewall platform:
You're right that the the first is a subset of the second, but that's deliberate, so that the different conceptual requirements of SecureDrop's firewall configuration are apparent to administrators.
If you think we can make this clearer, in either the abstract or the OPNSense-specific firewall, we'd of course welcome a pull request with those changes.
Expected behavior
Firewall rules are not redundant and as tight as possible.
Actual behavior
Current instructions for setting up OPNSense's LAN firewall rules specify two rules - first one to enable SSH to both app and mon machines, and second is a blanket allow from admin_machine to everywhere, labelled 'Tor from Tails'.
Given that the second rule applies to all traffic, it is a superset of the first rule, and the first rule is not needed. Also, it's too broad - tor traffic would only go to LAN port, not to all interfaces.
Therefore I'd suggest to either remove the unnecessary first rule, or to narrow down the second rule to only allow traffic to LAN port. The second option, while preferred, might require either adding port 443 to the first rule or adding second rule allowing 443 traffic to local_machines.
Additional information
The fact that firewall rules for OPT1 and OPT2 specifically disallow inter-zone traffic seems to support tightening downs the rules as suggested above.