步票1:0PNm默认配置分析2、端口规则设置中,WAN接口默认不允许来自外网私有地址的数 据包通过,LAN接口默认允许来自内网的私有地址的数据包通过。 A Use Static IPv4 configuration IPy4 address 10.0.0.1 A Interfaces IPv4 Upstream Gatewa None LAN接口:此处不打勾,表明AN 口允许从内网私有地址发来的报文 通过 aBlock private networks s Firewall When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918(10/8, 172. 16/12, 192. 168/16) as well as loopback addresses(127/8). You should generally leave this option turned on, unless your WAN network lies in such a private 4 Services address space, too e Syst IPy4 address 1WAN接口:此处打勾,表明AN IPv4 Upstream Gateway 口不允许从外部私有地址发来的报 None 文通过 If this interface is an Int the link above On local LANs the upstream Private networks When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 (10/8, 172.16/12, 192. 168/16) as well as loopback addresses(127/8). You should generally leave this option turned on, unless your WAN network lies in such a private
2、端口规则设置中,WAN接口默认不允许来自外网私有地址的数 据包通过,LAN接口默认允许来自内网的私有地址的数据包通过。 步骤1:OPNsense默认配置分析 WAN接口:此处打勾,表明WAN 口不允许从外部私有地址发来的报 文通过 LAN接口:此处不打勾,表明LAN 口允许从内网私有地址发来的报文 通过
步骤1:0PNem默认配置分3、防火墙规则中,WAN接口默认没有配置从外向内的规则,即不允 许从外向内访问;LAN接口默认配置了允许从内网向外网的访问规则。 Firewall: Rules ⊙ A Interfaces Floating AN LAN S Firewa Proto Source Port Destination Port Gateway Queue Schedule Description Aliases RFC 1918 network Block Reserved/not assigned by IANA Block bogon networks No rules are currently defined for this interface Schedule All incoming connections on this interface will be blocked until you add pass rules. Trafic Shap Click the +t button to add a new rule. A Interfaces WAN LAN Proto Source Port Destination Port Gateway Queue Schedule Description + ases Anti-Lockout Rule + none Default allow LAN to any ru /x+ Pv6’ LAn net none Default allow lAN iPv6 to any rule 中其+
3、防火墙规则中,WAN接口默认没有配置从外向内的规则,即不允 步骤1:OPNsense默认配置分析 许从外向内访问;LAN接口默认配置了允许从内网向外网的访问规则
步骤1: OPNsense默认配置分析4、接口规则( interfaces优先于防火墙规则(rues stem WAN s Firewall Proto Source Port Destination Port Gateway Queue Schedule Descripti Block private networks +/ Reserved/not assigned by IANA Block bogon networks + Rules none P⊥L⊥ 默认配置下,在WAN口增加防火墙规则,此规则会自动置于接口规则( interfaces)之下,且不可改变顺 序。因此,若WAN口配置的是私有地址,则即使在WAN口增加防火墙规则,允许 any to any,但由于 WAN口默认不允许来自外网私有地址的数据包通过,且接口规则优先,因此此时仍然无法实现从外网向 内网访问。 LAN口不是这样,因为其接口规则中,默认的是允许内网中从私有地址发来的报文通过
步骤1:OPNsense默认配置分析 4、接口规则(interfaces)优先于防火墙规则(rules); 默认配置下,在WAN口增加防火墙规则,此规则会自动置于接口规则(interfaces)之下,且不可改变顺 序。因此,若WAN口配置的是私有地址,则即使在WAN口增加防火墙规则,允许any to any,但由于 WAN口默认不允许来自外网私有地址的数据包通过,且接口规则优先,因此此时仍然无法实现从外网向 内网访问。 LAN口不是这样,因为其接口规则中,默认的是允许内网中从私有地址发来的报文通过
图1-7-1 ISEnse root@OPNsense localdomain Main page Status Log Help Lop A User Firewall: Rules 0 System Interfaces Floating s Firewall Proto Source Port Destination Port Gateway Queue Schedule Description RFC 1918 networks Block private networks + Reserved/not assigned by lANA Block bogon networks No rules are currently defined for this interface Schedules All incoming connections on this interface will be blocked until you add pass rules. Traffic Shaper Click the button to add a new rule. Virtual Ips
图1-7-1
当此处打勾时,如果外部网也用的是私有地址,则阻断从外到内的通信,即 图1-7-2 使在防火墙模块中,增加了WAN口的策略(ues),允许 any to any,依然 无法实现外网PC与WAN口的通信。 送LP门se9 ain page Status Help o Private networks E Block private networks When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918(10/8, 172.16/12, 192. 168/16) as well as loopback addresses(127/8). You should generally leave this option tuned on, unless your WAN network lies in such a private address space, too. WAN When set, this option blocks traffic from IP addresses that are reserved (but not RFC 1918)or not yet assigned by IANA. Bogons are prefixes that should never appear in the Intemet routing table, and obviously should not appear as the source address in any packets you receive. Note: The update frequency can be changed under System-Advanced Firewall/NAT settings. y Firewall 返回
图1-7-2 返回 当此处打勾时,如果外部网也用的是私有地址,则阻断从外到内的通信,即 使在防火墙模块中,增加了WAN口的策略(rules),允许any to any,依然 无法实现外网PC与WAN口的通信