next »

[thorrr]

I am trying to wrap my head around the way firewall rules are applied, but i am getting really confused.

according to: http://doc.pfsense.org/index.php/Example_basic_configuration#Example_of_a_basic_lock_down_of_the_LAN_and_DMZ_out_going_rules

Always remember that rules are matched on the INCOMING Interface.

but then they go on to add ruled for outgoing LAN.

I was trying to get my 2 subnets talking to each other, and it only seemed to work when i added a LAN rule --> source LAN, dest opt1 and a rule on opt1 --> source opt1, dest LAN

To me this is saying that the rules are applying to outgoing traffic.


If someone could take a few seconds to set me straight i would appreciate it. Thanks!

[ericab]

the rules apply to both incoming and outgoing traffic depending on what you set as the source and/or destination.

since you have 2 subnetted networks, you've divided a single network into two or more similar, but different networks. in this case this is why you *do* need rules to allow incoming and outgoing traffic on each interface to allow communication between the two, otherwise they it will be blocked, since the default behavior on each interface it to drop packets that aren't otherwise specifically allowed with rules.

traffic that originated /and/ is destined to a client within the same subnet, is passed, as long as there isnt a rule on that interface that specifically prohibits communication, and as long as the clients own firewall (if applicable) allows it as well

[mdpugh]

Are you sure about this?  I wondered about outgoing traffic myself.  I think it's passed by default.  Otherwise, I'd need a rule to let LAN traffic out to the Internet and I don't.  When I wanted to preclude the possibility of crosstalk on disparate LANs (henceforth, LAN means LAN and OPTs), but still let traffic through to the WAN, I had to use an allow rule on the LAN interfaces (plural) that passed all incoming traffic except that bound for the LANs (the allow is necessary since incoming traffic is blocked by default).  Blocking outgoing traffic on LAN interfaces with LAN source addresses did not work (but I may have done something wrong).

In answer to thorrr's original question, a rule on the LAN interface that affects packets with LAN source addresses and other-than-LAN destination addresses is an inbound rule (likewise on any interface).  The traffic comes from the LAN, is allowed through (or blocked) at the LAN interface by the rule, and then, if passed, sent on the next hop to its destination.  Theoretically, it could be passed or blocked at the outgoing interface as well. In this case, a rule on the interface for Network X that affects packets bound for Network X and originating from other-than-Network X is an outbound rule (traffic comes from wherever and must pass through the interface en route to Network X) .  For whatever reason, I could never get this to work.

A point of clarification: here, inbound (incoming) means entering [outbound (outgoing) means leaving] the pfSense router/firewall on any interface.  Do not confuse this with entering or leaving the local area network(s) in general.

[mdpugh]

I knew I'd read this somewhere.  According to section 6.5 of The Book, outbound traffic (on an interface) is not filtered.  I don't know whether this changed in 2.0...

[mdpugh]

Actually, floating rules--new to 2.0--appear to be bidirectional.

[KurianOfBorg]

The interface rules only apply to packets physically entering the firewall on that interface. If you have a rule on LAN1 allowing "Any to Any" then clients on LAN1 can browse the internet. You do NOT need any rules on WAN (since the packets originated from within the firewall itself after routing and did not physically enter the WAN interface). However if you create a floating rule on WAN, it will process the packets from LAN1 as it leaves WAN for the internet. An interface rule on WAN will not process any internet bound packets from LAN1 even if you set the source address to LAN1.

In a nutshell, all incoming is blocked by default and all outgoing is allowed by default. By default, it will only appear to LAN clients that outbound is blocked whereas in reality their packets are being blocked from entering the firewall. In this state if you use the firewall's physical console, you will be still able to access the internet through WAN without any rules since firewall traffic doesn't originate on a physical interface.