pfSense Support Subscription

Author Topic: Firewall rules based on interface  (Read 2937 times)

0 Members and 1 Guest are viewing this topic.

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6283
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Firewall rules based on interface
« Reply #15 on: June 23, 2011, 07:32:06 pm »
You cannot just specify interfaces in rules (in the GUI or the underlying system), using subnets, aliases or interface groups (likely a combination) can do what you want by using IP subnets rather than interfaces.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14932
    • View Profile
Re: Firewall rules based on interface
« Reply #16 on: June 28, 2011, 08:16:49 am »
On 2.0 you can use floating rules and/or interface groups to get closer to what you want, but with traditional rules you do need to block inbound on the interfaces going to every other network you don't want them to access. By using aliases, you don't really need X number of individual rules, you could do it with only a couple of them.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline MikeN

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Firewall rules based on interface
« Reply #17 on: July 04, 2011, 04:57:46 am »
fwadmin: Did you ever manage to find a good solution to this?

It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface.....

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6283
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Firewall rules based on interface
« Reply #18 on: July 04, 2011, 05:12:20 pm »
It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface.....

Easy, just block or reject what you don't want to permit (most commonly with an alias of local and VPN-attached networks, if not all of RFC1918) above allowing destination "any" for required Internet traffic.

Offline MikeN

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Firewall rules based on interface
« Reply #19 on: July 04, 2011, 06:14:30 pm »
It's really a problem I can't reliably filter traffic based on source/destination interfaces. If I allow traffic to 'the internet' (which I can't specify with an IP range), I immediately allow traffic to all other interfaces and not just the gateway interface.....

Easy, just block or reject what you don't want to permit (most commonly with an alias of local and VPN-attached networks, if not all of RFC1918) above allowing destination "any" for required Internet traffic.
That is an option, but:
- It's error prone. If in the future new IP ranges get added to interfaces, I will have to make sure that these get blocked too. I rather have something closed/secure by default, instead of the other way around.
- It's quite some work if you got multiple interfaces. I still have to look into the floating rules (running 2.0-rc3 here), and where they're added in the pf ruleset, so maybe floating rules can resolve this issue...