The usage of MAC addresses belong to the lower levels in the ISO OSI ("L2"). Your MAC is only used and seen on the local net/broad cast domain. When you pass a router the MAC is gone in the eyes of the receiver, sort of. (I see now that Efonne basically wrote the exact same thing :) ) See here for some more info: http://en.wikipedia.org/wiki/OSI_model  http://en.wikipedia.org/wiki/Data_Link_Layer

My bad, I thought of them as a different kind of rule in the set, in that aspect, but I'll have that in mind, not the problem here though. I again have seen one occurrence of this problem, I had one xbox on one of the internal networks that wasn't allowed to pass through after 2200 but it took a few minutes passed 2300 before it was effectively blocked. There's no other rules blocking that IP so the rule blocking past 23 is that one that should've blocked at 22, schedule details in pic below. This is the same system that I have reported intermittent problems related to imspector and captive portal for earlier. Could my system be messed up somehow and if so how can I tell (I don't want to make a re-install unless I feel it's needed). How can one be sure all configs are in proper syntax etc, is there some kind of debugging/syntax checker/self test command that one could use? TIA  

Thanks for your reply. I tested this, but it doesn't solve the problem. Actually I'm running on m0n0wall, as I'm in need of my PBX…

Approximately speaking, a connection to a web server will always have a destination port of 80 but the source port will be a random number in the range 1024 to 65535. If the source port were always 80 it would not be possible for TCP to distinguish between multiple http connections between the same pair of hosts.

Boy, that sure was alot of work for a simple answer!  Well, better that than the alternative…  Thank you!

Read the FAQ? (or search the forum)

Since it is a bridge now, it is generating STP packets (Spanning Tree Protocol).  These are harmless.

Ola GruensFroeschli, OK. Cool. Thank You. -V-

in my dealings blocking an entire subnet you have to make sure that you rules are in the correct place in the rules list (top before allow rules). secondly if you restart your pfsense by no mean asume that clients will get updated automatically unless directly connected. ipconfig /release, /flushdns, /renew or your Os' equivalent. Also blocking the route to the subnet seems to prevent connects better.(IMHO) so that would look like *  Blocked_sites  *  LAN net  *  * *  Blocked_sites  *  WAN net  *  * Try blocking the remote DNS address if possible

Actually I was just reminded by someone else that ftpsesame should work in a bridged scenario, so you may also want to try to enable the FTP helper on LAN if it has been disabled.

Oh, if you have a bad drive that is causing your config to be corrupted, that will be detected and the last good backup will be restored. I could definitely see that scenario occurring with a dying drive, or a disk controller problem, or bad cable, or any number of hardware problems. My comments were assuming the hardware is solid.

The other option is to move ssh to a different port, such as 222, on all your boxes. It won't get scanned by nearly as many (if any) such attempts, and you can keep it open. Personally I block off all ssh from outside and connect via VPN before I can reach anything internal.

"Yellow Address" refers to the IP address of the Yellow NIC.  I was thinking that it meant something similar to "Yellow Subnet". For OPT I/F, you must create a rule to allow a machine on the yellow subnet to reach the yellow subnet NIC (with the DNS server).  This one seems crazy to me, but this is the way it is.  It seems crazy since if the DNS server were out on a switched segment, anyone could reach it with the same address. I am using an external DNS service, and desire to block any attempts by local machines to use other DNS servers. I made an alias AllPrivateIP with the Private and Auto IP addresses so that I could refer to their inverse as meaning the internet in various cases.  I seem to have private addresses pounding on me from my WAN trying to bootp. I have an XBOX360 on ORANGE which I have working at the "OPEN" level (highest) without uPNP Don't let any sloppy names that slip through confuse you with respect to LAN, ORANGE, YELLOW, XBOX360.  If it looks like something, it is. I plan on moving to a "block all except those allowed" for LAN, YELLOW, and ORANGE. Reject UDP LAN-Net * !Lan-Addr 53(DNS) *  Comment: Reject DNS to other than LAN Gateway Pass   Any LAN-Net * * * * Comment: Allow LAN to access anything Reject * * * * * * *  Comment: Reject at bottom so LAN never gets blocked causing delay Pass UDP !AllPrivateIP * XBOX360 88 *  Comment: Allow XBOX port forward Pass TCP/IP !AllPrivateIP * XBOX360 3074 *Comment: Allow XBOX port forward Block * * * * * * *  Comment: Block at bottom so no response. YELLOW Pass   UDP  YEL-NET * YEL-Addr 53(DNS) *Comment: Allow access to local DNS Reject UDP  YEL-NET * !YEL-Addr 53(DNS) *Comment: Reject access to other (external) DNS Pass   * YEL-NET * !AllPrivateIP * *Comment: Allow unlimited access to WAN Reject * * * * * *  Comment: Reject at bottom so no delay ORANGE Pass   UDP  ORA-NET * ORA-Addr 53(DNS) *Comment: Allow access to local DNS Reject UDP  ORA-NET * !ORA-Addr 53(DNS) *Comment: Reject access to other (external) DNS Pass   * ORA-NET * !AllPrivateIP * *Comment: Allow unlimited access to WAN Reject * * * * * *  Comment: Reject at bottom so no delay Firewall / NAT / Port Forward WAN UDP 88 XBOX360 88 WAN TCP/UDP 3074 XBOX360 3074 Firewall / NAT / Outbound Manual WAN LAN-NET * * * * * No WAN YEL-NET * * * * * No WAN ORA-NET * * * * * Yes

ok, thank you that is all i want to know, it is suppose to work like that. thank you

The firewall doesn't care what URL you're going to, and doesn't even know, it can't see the HTTPS traffic. Has to be something on your web server or reverse proxy that's different with the firewall in place.

Ah i see. Well you can still map the complete range with normal port forwards. But why would you need that?