Redundant rules ?
-
Not sure I understand your reply.
Eample: Opt2 talks to no one.
- Rule to block outgoing from Opt2 to Lan and Opt1, configured on Opt2 rules
OR
- Rule to block incoming from Opt2 to Lan and Opt1, configured on Lan1 and Opt1 rules
From above to accomplish goal do I need 1, or 2, or both ?
-
@srytryagn said in Redundant rules ?:
block all outgoing messages interface Opt2:
source anyHow would source be ANY into opt2 - the only traffic that could be source into opt2 is opt2
Such statements point to a lack of understanding of how the rules work on pfsense.
Traffic is evaluated as it enters an interface from the network its attached too..
The only source would be the same network, be that lan, or opt1 or opt2 - the only source would be lan into lan, opt1 into opt1 or opt2 into opt2
The only time you would have something other than the interface network as source is if you were using it as a transit network. And then you should really call out those cidrs for those networks and not any, etc.
@srytryagn said in Redundant rules ?:
both sides out and in or is one side sufficient?
So your going to do floating outbound rules on each interface?
The only place to do "outbound" rules on an interface is floating.
-
@srytryagn said in Redundant rules ?:
Not sure I understand your reply.
Eample: Opt2 talks to no one.
- Rule to block outgoing from Opt2 to Lan and Opt1, configured on Opt2 rules
OR
- Rule to block incoming from Opt2 to Lan and Opt1, configured on Lan1 and Opt1 rules
From above to accomplish goal do I need 1, or 2, or both ?
I think you need to understand that "Opt2 talks to no one" does not mean no one can talk to Opt2.
-
@johnpoz said in Redundant rules ?:
How would source be ANY into opt2 - the only traffic that could be source into opt2 is opt2
How, why could Lan not be a source sending traffic to Opt2 ?
& Yes you are right I do not understand how the rules work, despite reading manual it is unclear, at least to me.
-
@jarhead What if I want both Opt2 talks to no one in private/local networks and no one talks to Opt2 from other private/local...i.e/ Opt2 is segregated but can reach out to the internet.
-
Then you need the rule on OPT2 to prevent hosts there connecting to LAN or OPT1.
And you need rules on LAN and OPT1 to prevent hosts on those subnets connecting to OPT2.On the normal rules tab traffic is matched on the basis of connection coming into the interface from outside the firewall.
All traffic out of an interface is allowed.
The only exception to that being floating rules but you should avoid them unless you have no option (for your own sanity!).Steve
-
@stephenw10 Thanks that makes sense add both in that case!
However the statement "On the normal rules tab traffic is matched on the basis of connection coming into the interface from outside the firewall." Is not clear in my head.
What do you mean by into the interface from wan, from firewall into private lan ? What is outside the firewall and on what side ?
Very confusing, I am sure I am not thinking about this the right way around.
-
By 'traffic that is inside the firewall' I mean traffic in the router itself. So traffic that has been passed by a rule and allowed in on any interface. It is then routed to the appropriate interface for the destination and exits the firewall from that interface. By default all traffic is allowed to exit on any interface.
So traffic hitting the OPT2 rules for example can only have come from the OPT2 subnet. Traffic from hosts on other subnets, like LAN for example, can never hit the OPT2 rules becasue it only ever exits OPT2 and all outbound traffic is allowed.
See: https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html
Steve
-
@stephenw10 Is it opposite for WAN ?
-
@srytryagn said in Redundant rules ?:
Is it opposite for WAN ?
No - works exactly the same way.. Traffic is inbound to the wan interface from the wan network.
Out of the box all unsolicited traffic into the wan interface is denied..
