pfSense Support Subscription

Author Topic: [SOLVED] Curious Floating Rules Behavior  (Read 719 times)

0 Members and 1 Guest are viewing this topic.

Offline Kryptos1

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +2/-0
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #15 on: November 22, 2017, 05:40:45 am »
Quote
The reason the packets are dropped in the first two examples is because your floating rule catches the traffic (actually the state creation) as it leaves the LAN interface OUTBOUND.


Cannot possibly be correct because the packet didnt "leave" the LAN at all - that was the whole point of the test. They "left" the OPT1 and matched the floating rule because it was OUTside relative to the interface.   

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9214
  • Karma: +1048/-308
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #16 on: November 22, 2017, 05:43:01 am »
Of course they didn't leave LAN. They were blocked by the firewall so the state was never created.

Let's get some terminology clear:


inside/outside

LAN/Trusted --- inside --- FIREWALL --- outside --- Internet/Untrusted



inbound (ingress) / outbound (egress)

inbound  --->|
             | Interface
outbound <---|
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Kryptos1

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +2/-0
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #17 on: November 22, 2017, 05:49:46 am »
Of course they didn't leave LAN. They were blocked by the firewall so the state was never created.

Let's get some terminology clear:


inside/outside

LAN/Trusted --- inside --- FIREWALL --- outside --- Internet/Untrusted



inbound (ingress) / outbound (egress)

inbound  --->|
             | Interface
outbound <---|


The drawing posted by johnpoz is spot on. However, it seems you guys both believe that "OUT" means "OUTbound" (or egress). "OUT" is the direction of packets relative to the interface, its is not "egress" at all.. So in my case, packets sent from the raspberry pi were OUTside relative to the LAN.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9214
  • Karma: +1048/-308
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #18 on: November 22, 2017, 05:56:01 am »
OUTSIDE is a location
OUTBOUND is a direction
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Kryptos1

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +2/-0
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #19 on: November 22, 2017, 05:58:34 am »
OUTSIDE is a location
OUTBOUND is a direction

Whatever the case, "OUT" is neither egress traffic nor is it "OUTbound" traffic. It is traffic that is relative to the interface thats been selected.  I agree with johnpoz's drawing 100%.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9214
  • Karma: +1048/-308
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #20 on: November 22, 2017, 06:03:55 am »
Exactly. You seem to confuse ingress/egress with inside/outside. That is only true when you are talking about the WAN interfaces.

Traffic from LAN hosts INGRESSES the firewall on its way INBOUND into the LAN interface. Reply traffic for those connections EGRESSES the LAN interface on its way back OUTBOUND to the LAN hosts - relative to the LAN interface.

The only problem here is your failure to properly comprehend these terms in English as they relate to common usage when describing firewall behavior.

There is nothing at all curious about the floating rule behavior you have described.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Kryptos1

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +2/-0
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #21 on: November 22, 2017, 06:19:02 am »
Exactly. You seem to confuse ingress/egress with inside/outside. That is only true when you are talking about the WAN interfaces.

The drawings and tests I performed are 100% on. The confusion regarding IN,OUT,ANY direction is because of people citing it OUT as OUTbound/egress traffic when it is not.

Traffic from LAN hosts INGRESSES the firewall on its way INBOUND into the LAN interface.

Agree 100%

Reply traffic for those connections EGRESSES the LAN interface on its way back OUTBOUND to the LAN hosts - relative to the LAN interface.

Test # 2 was the complete opposite and while I agree with your use of terms, the 'EGRESS" traffic you're referring to has nothing to do with the OUT direction.

The only problem here is your failure to properly comprehend these terms in English as they relate to common usage when describing firewall behavior.

This is as backwards as the terms being discussed.  EGRESS has nothing to do with OUT under floating rules.

There is nothing at all curious about the floating rule behavior you have described.

I didn't...

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9214
  • Karma: +1048/-308
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #22 on: November 22, 2017, 06:23:54 am »
Quote
The drawings and tests I performed are 100% on. The confusion regarding IN,OUT,ANY direction is because of people citing it OUT as OUTbound/egress traffic when it is not.
Yes it is, relative to the interface. That is why you select an INTERFACE and a DIRECTION RELATIVE TO THAT INTERFACE.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Kryptos1

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +2/-0
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #23 on: November 22, 2017, 06:31:12 am »
Quote
The drawings and tests I performed are 100% on. The confusion regarding IN,OUT,ANY direction is because of people citing it OUT as OUTbound/egress traffic when it is not.
Yes it is, relative to the interface. That is why you select an INTERFACE and a DIRECTION RELATIVE TO THAT INTERFACE.

OUT is not "egress/outbound" traffic. Think about what you're saying above. If you agree with me that that OUT,IN,ANY are DIRECTION(s) RELATIVE TO an INTERFACE selected, then you cannot possibly say that "OUT" is egress or outbound without contradicting yourself. "OUT" is not outbound traffic

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9214
  • Karma: +1048/-308
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #24 on: November 22, 2017, 06:38:44 am »
I am done. Someone else's turn.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Kryptos1

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +2/-0
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #25 on: November 22, 2017, 06:44:13 am »
I am done. Someone else's turn.

I think you have finally seen the difference and might be too proud to admit it. Don't beat yourself up because I confused "OUT" as being associated with OUTbound/egress for years until I finally sat down and went through those tests I posted. I see you and johnpoz have many postings in these forums and its great to have people actively helping one another. Don't get flustered. And dont be too proud to admit you might have learned something new in this discussion.   

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9214
  • Karma: +1048/-308
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #26 on: November 22, 2017, 06:49:39 am »
Sigh.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Kryptos1

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +2/-0
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #27 on: November 22, 2017, 06:52:22 am »

Offline Kryptos1

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +2/-0
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #28 on: November 22, 2017, 07:00:17 am »
Sigh.

Lots of people have holes in their firewall configs for the very reasons being discussed here."OUT" is the direction of packets relative to the interface.
« Last Edit: November 24, 2017, 06:10:54 am by Kryptos1 »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9214
  • Karma: +1048/-308
    • View Profile
Re: Curious Floating Rules Behavior
« Reply #29 on: November 22, 2017, 07:07:08 am »
Now you seem to be equating "egress" with "traveling from the inside to the outside. From the trusted to the untrusted. From the LAN to the WAN/Internet."

That is not it at all. "ingress" is "INto an interface." WAN or LAN, inside or outside, doesn't matter. It is traffic received by an interface coming into (aka ingressing) the firewall.

"egress" is "OUT of an interface." WAN or LAN, inside or outside, doesn't matter. It is traffic transmitted by an interface going out of (aka eggressing) the firewall.

Look at this again - Really, honestly look at it:


inside/outside

LAN/Trusted --- inside --- FIREWALL --- outside --- Internet/Untrusted



inbound (ingress) / outbound (egress)

inbound  --->|
             | Interface
outbound <---|


You insist on using nonstandard terms. I have been trying to get on the same terminology for several posts.

No, I don't need your money. I know I am correct. Use it to buy a dictionary.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM