As I continue to improve my understanding and develop a model to better visualize the inner
workings of the pfSense firewall, I wanted to share it with the community.
I haven't had a chance to write a detailed text explanation yet, but hope to do so shortly.
This post https://forum.pfsense.org/index.php?topic=126866.msg700593#msg700593
still applies, but it is very wordy and doesn't incorporate the floating rules, but it does illustrate
"State Creation" which might.
pfSense Block Diagram
LAN –--*FW--(192.168. 1.1)--|
|
VLAN10 ----*FW--(192.168.10.1)--|
| WAN
VLAN20 ----*FW--(192.168.20.1)--| Interface Public or
| IP Gateway IP
VLAN30 ----FW--(192.168.30.1)--@@@--NAT--(x.x.x.x)-FW---WAN--- (p.p.p.p)
|
VLAN40 ----*FW--(192.168.40.1)--|
|
VLAN50 ----*FW--(192.168.50.1)--|
|
VLAN60 ----*FW--(192.168.60.1)-
Sample Firewall with Multiple VLANS
and a Single Internet Gateway
----LOCAL I/F---- FW ---GATEWAY I/F---
IN (I) OUT OUT (O) IN
---> ~F>RF<r< ="" | ="">F>RF<r< <---<br="">LAN ~L>U --> L<u< ="" | ="">L>U <-- L<u<<br>or ~O>L I/F O<l<~@|@~>O>L I/F O<l< wan<br="">VLANx ~A>E RULES A<e< ="" | ="">A>E RULES A<e<<br>~T>S*******T<s< ="" | ="">T>S~~~~~~~~T <s< <br="">Detail of FW Blocks with
Floating Rules
DEFINITIONS
IN/OUT: Direction is always with respect to the interface.
SOURCE: The Initiator of the session to be blocked.
DESTINATION: The recipient of the session to be blocked
I/F RULES: Rules applied on the Firewall / Rules / (LAN,WAN etc.)
Tab for a given interface.
FLOAT RULES: Rules applied on the Firewall / Rules / Floating Tab.
The IP for an interface sits inside the firewall block (FB) and access
to it can be blocked with a firewall rule
Floating Rules are processed before I/F rules, so they can be used to
bypass I/F rules.
Once the firewall block is opened for a session, the rules are no
longer evaluated for that session.
When creating rules that block an open traffic flow, the states
associated with that traffic flow must be cleared before the new rule
will be effective. So either the traffic flow must stop and the
state must time out and clear by itself, or you must use thw WebGUI
to either clear the chosen states, or to clear all states. (Clearing
all states will disrupt streaming traffic and downloads.)
Rules can only block traffic in the direction shown by the arrows
shown with the particular rule. Interface/Normal rules can only block
traffic going into that interface - either from the WAN into pfSense
box, or from a (V)LAN into pfsense as shown.
Floating rules may use one rule to appear on multiple interfaces
simultaneously, and will work as if they were placed on the diagram
as shown.
The key point to remember is to write rules that either block or pass (start) communication between 2 hosts.
Once communication starts, it doesn't matter what the firewall rules are for a given session as the firewall rules
no longer apply to that session. So if someone can open a connection to xxx.com on port 80 they can browse
xxx.com. Attempting to block incoming traffic from xxx.com is useless because xxx.com is not initiating the
session, a machine on the local network is. Instead prevent the connection to xxx.com by placing a reject rule
on the LAN/VLAN - BLOCK Source: ANY (or (V)LAN.net) Destination: xxx.com Ports:80/443.
Can someone tell me does point @@@ have an IP (Layer 3) address?
Any suggestions for how to incorporate NAT and 127.0.0.1 into the diagram?
Suggestions / corrections are welcomed.</s< ></s< ></e<<br></e< ></l<******></l<~@|@~></u<<br></u< ></r< ></r< >