Doesn't block outgoing
-
I'm sure it must be something on my side, I'm sure I'm stupid, etc etc etc, and so on and so forth, nevertheless: outgoing LAN is not blocked.
1. I have a Synology.
2. I don't want it to go anywhere except for downloading from 1 usenet server.
3. Top firewall rules on LAN are as in zpic001. Rx = Rulex.
4. The rules in more detail:
A. Rule1: Allow SYNOLOGY (192.168.x.xx) out to router (NWRK_PFSENSE = 192.168.x.x, 127.0.0.1) on management ports 53, 123, 80, 443. The router is the DNS-forwarder (‘unbound’) for my whole LAN (no external DNS servers outside LAN allowed).
B. Rule2: BLOCK SYNOLOGY out to any other host (= the ‘!’ in front of NWRK_PFSENSE) for the above 4 management ports.
C. Rule3: Allow SYNOLOGY out to two specific usenet hosts (NO synology website or server is included in here, I triple-checked).
D. Rule4: Block SYNOLOGY out anywhere.5. Nevertheless, the Synology is happily checking for updates. Pic zpic002.
6. My dear friends over @ Synology ("Made in Taiwan", not "Made in China", so to speak) are also wondering what is going on and asked me to do this from the Synology CLI: "curl https://update.synology.com/autoupdate/genRSS.php".
7. Not surprisingly, that went through very well too: Pic zpic003.
So it is not blocking anything, even 'though the block rules are the TOP most TOP rules. I even rebooted the box 57147 times to make sure there was no caching or anything whatever.
I'm sure, as always, I did something wrong, but what?
Thank you for any help.
Oh, I forgot, the latest of the greatest (version), of course, just to make sure.
-
firewall rules only block connections incoming to that interface. In order to block outgoing connections, you will need to setup a floating rule.
You should also read https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules especially the alternate causes section.
-
Thank you Sir ;D
However, if I block all, it does work. Pic 004 for example, that server does not go out anywhere.