Author Topic: Question on when a rule would trigger (Read 845 times)

Trel · « **on:** July 14, 2016, 11:14:24 am »

I've seen it mention that in a case of

1. Allow Lan subnet->Lan subnet
2. Allow any -> This firewall
3. Block RFC1918
4. Allow Any

Rule #1 should never trigger
I've always included it anyway

Looking at my rules, I see it has fired off a few times. Any idea what specific traffic could trigger it?

kpa · « **Reply #1 on:** July 14, 2016, 11:21:32 am »

Lan traffic that is not destined for the router will never hit it because the hosts on network can talk to each other without first going to the router. The only traffic that will hit it regardless is broadcasts/multicasts.

JasonJoel · « **Reply #2 on:** July 14, 2016, 02:15:46 pm »

Rule 1 will also trigger when connecting to the firewall itself if the traffic is originating from the lan subnet to the firewall ip on that subnet...

johnpoz · « **Reply #3 on:** July 14, 2016, 02:32:24 pm »

Rule 1 is pointless. It would allow access to the pfsense IP in that subnet, but bad way to do it. If you want to allow access to pfsense interface IP in that network then use the lan address drop down. Your this firewall rule allows access to any IP pfsense has be it lan segment or wan.

Are you using the antilock rules? Those would allow access to pfsense on 80,443,22 or other port if using different ones. So your firewall rule would allow for dns. But you really should be more specific if your wanting to get restrictive. so if you want to ping, and dns to pfsense lan IP then that would be the specific rule you would want to use.

Your block rfc rule could be combined with your any any rule on the end and just use a ! rule for your rfc1918. So dest NOT rfc1918 allow - this makes it 1 rule vs having 2.

Trel · « **Reply #4 on:** July 14, 2016, 04:45:14 pm »

Quote from: johnpoz on July 14, 2016, 02:32:24 pm

Rule 1 is pointless. It would allow access to the pfsense IP in that subnet, but bad way to do it. If you want to allow access to pfsense interface IP in that network then use the lan address drop down. Your this firewall rule allows access to any IP pfsense has be it lan segment or wan.

Are you using the antilock rules? Those would allow access to pfsense on 80,443,22 or other port if using different ones. So your firewall rule would allow for dns. But you really should be more specific if your wanting to get restrictive. so if you want to ping, and dns to pfsense lan IP then that would be the specific rule you would want to use.

Your block rfc rule could be combined with your any any rule on the end and just use a ! rule for your rfc1918. So dest NOT rfc1918 allow - this makes it 1 rule vs having 2.

What cases could be causing the rule to trigger in the screenshot I'm attaching.
I get that it's not the perfect way to do it, but I know if I remove it as is in this setup, whatever is triggering it will get blocked by the rule 2 spots below it.

Derelict · « **Reply #5 on:** July 15, 2016, 02:53:04 am »

That rule will match traffic from LAN net to LAN address (which is included in LAN net) as was correctly pointed out already by @JasonJoel.

The rule is pointless unless it is passing traffic to LAN address (or maybe other VIPs on the LAN interface) that you need to be passed.

If you're wondering what the traffic is, enable logging on the rule and watch the logs.

There are no "rare events." Traffic is either same-subnet (not requiring router services) or it's not.

johnpoz · « **Reply #6 on:** July 15, 2016, 05:32:56 am »

"whatever is triggering it will get blocked by the rule 2 spots below it."

That is not how it works, first rule to trigger wins no other rules below that will be evaluated.

Rules are evaluated top down, first 1 that triggers stops further evaluation. Rules need to be ordered in this fashion.

Trel · « **Reply #7 on:** July 16, 2016, 04:08:34 pm »

Quote from: Derelict on July 15, 2016, 02:53:04 am

That rule will match traffic from LAN net to LAN address (which is included in LAN net) as was correctly pointed out already by @JasonJoel.

The rule is pointless unless it is passing traffic to LAN address (or maybe other VIPs on the LAN interface) that you need to be passed.

If you're wondering what the traffic is, enable logging on the rule and watch the logs.

There are no "rare events." Traffic is either same-subnet (not requiring router services) or it's not.

I get that logic, but if it's 100% accurate, it would never have fired at any point because it would be routing by the switch and never touching pfsense.

My hardware setup is Pfsense -- Wire -- Switch -- Everything else.

The only thing on that subnet that isn't on the far end of the switch is pfsense itself.

I get that the rule SHOULDN'T do anything, but as my screenshot shows, there is something hitting it that's matching it.

Perhaps I'm misunderstanding but the way everyone keeps explaining it, it should never fire, but if I look at the state by clicking it, it's showing an IP to a broadcast IP.

So, if that's getting passed, wouldn't removing it cause it to be blocked by the RFC1918 block rule that comes next?

Quote from: johnpoz on July 15, 2016, 05:32:56 am

"whatever is triggering it will get blocked by the rule 2 spots below it."

That is not how it works, first rule to trigger wins no other rules below that will be evaluated.

Rules are evaluated top down, first 1 that triggers stops further evaluation. Rules need to be ordered in this fashion.

I meant if I remove the rule that everyone is saying does nothing.
The rule 2 down blocks all RFC1918 as a destination. So without that pass, whatever is triggering it would be blocked as that block happens prior to the allow any at the bottom.

Derelict · « **Reply #8 on:** July 16, 2016, 05:42:40 pm »

No, you don't get it. A rule with a source of LAN net and a dest of LAN net will match traffic with a source of LAN Net and a dest of LAN address (pfSense itself). Traffic to pfSense itself, aka LAN address has to be passed by firewall rules on pfSense LAN.

Like I said, enable logging on the rule and watch the logs.

Quote

So, if that's getting passed, wouldn't removing it cause it to be blocked by the RFC1918 block rule that comes next?

Yes, if LAN net is included in alias Local Networks.

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

Trel · « **Reply #9 on:** July 16, 2016, 07:50:24 pm »

I do understand and I don't need to turn logging on, I know exactly which scenario would hit that rule

So in that case, since I'm

1. Blocking all RFC1918 traffic on LAN with a generic rule
2. Only have the anti-lockout rule with allows specific ports to the firewall
3. Am running a reverse proxy both inside and out on the firewall (for ports not covered by the anti-lockout rule)

I DO want that LAN to LAN rule to exist then for that traffic.

Because that would not pass without that rule, correct?

Derelict · « **Reply #10 on:** July 16, 2016, 10:42:45 pm »

It would be more correct to have source LAN net dest LAN address. but, in practice, they will pass the same traffic.

I believe that rules should be as narrow as necessary to do the job.

You should know what on your firewall needs to be accessed and have a rule for that. Otherwise not.

Trel · « **Reply #11 on:** July 18, 2016, 12:45:46 pm »

Quote from: Derelict on July 16, 2016, 10:42:45 pm

It would be more correct to have source LAN net dest LAN address. but, in practice, they will pass the same traffic.

I believe that rules should be as narrow as necessary to do the job.

You should know what on your firewall needs to be accessed and have a rule for that. Otherwise not.

Is there a specific reason to include the source in that rule?

Derelict · « **Reply #12 on:** July 18, 2016, 07:43:57 pm »

Only because it's the only legitimate traffic that should be arriving on that interface so why allow illegitimate traffic into your firewall on purpose?

Many, many people specify any there.

johnpoz · « **Reply #13 on:** July 19, 2016, 06:08:33 am »

^ Agreed the only traffic that should be hitting the lan interface is lan network traffic, unless you have downstream router? I like to see the specific network as the source for lan side networks, this tells you there is no downstream networks off this interface. Unless they are natted.

Author Topic: Question on when a rule would trigger (Read 845 times)

Trel

Question on when a rule would trigger

kpa

Re: Question on when a rule would trigger

JasonJoel

Re: Question on when a rule would trigger

johnpoz

Re: Question on when a rule would trigger

Trel

Re: Question on when a rule would trigger

Derelict

Re: Question on when a rule would trigger

johnpoz

Re: Question on when a rule would trigger

Trel

Re: Question on when a rule would trigger

Derelict

Re: Question on when a rule would trigger

Trel

Re: Question on when a rule would trigger

Derelict

Re: Question on when a rule would trigger

Trel

Re: Question on when a rule would trigger

Derelict

Re: Question on when a rule would trigger

johnpoz

Re: Question on when a rule would trigger