Rules being ignored

pep

Hello,
I'am new to pfsense, evaluating it after many years of m0n0wall.

No matter how I am setting it up, rules on the OPT1 interface are being ignored…
I am setting up OPT1 as a dmz.

*** Welcome to pfSense 1.2-BETA-1-TESTING-SNAPSHOT-05-02-07-pfSense on wall ***

LAN*                    ->  em0    ->      192.168.11.254
  OPT1(OPT1)*              ->  em1    ->      192.168.110.254
  OPT2(OPT2)              ->  em2    ->      NONE
  OPT3(OPT3)              ->  em3    ->      NONE
  WAN*                    ->  bge0    ->      213.246.239.58
  OPT4(OPT4)              ->  bge1    ->      20.20.20.21

The only rule in "rules", tab OPT1 is:
                Proto  Source      Port      Destination    Port  Gateway  Schedule Description 
pass log        *    OPT1 net      *        ! LAN net        *        *                    allow dmz to any but lan

But I can connect from dmz to lan, and nothing related to em1 in the logs. :-(

Any advice?

AhnHEL

On your LAN, the default rule is to allow to all, so its more like the LAN is connecting to your DMZ, not that your DMZ is ignoring the rules.

Create a rule on the LAN interface denying all traffic from DMZ to LAN, and another denying traffic from LAN to DMZ.
Create a rule on the DMZ interface denying all traffic from DMZ to LAN, and another denying traffic from LAN to DMZ.

This way no matter what interface the traffic is on, its guaranteed not to go between LAN and DMZ.  The above might be redundant, I'm not sure, but it works.

I have disabled the WebGUI anti-lockout rule in System/Advanced and placed firewall rules to allow only specific stations to admin into pfSense from the LAN.  I also made a firewall rule on the DMZ to block ALL TCP traffic to the DMZ address using port 80, or 443, or a custom port if you're using one. (No one on the DMZ should be playing admin).  Again might be redundant, but it keeps me warm.  I'm still fairly new at this myself  but I'm learning, if I'm wrong I'm sure someone will come along and correct me.

GruensFroeschli

@onhel: this is wrong.
You might want to connect to your DMZ from LAN but forbidd access from DMZ to LAN.

@pep:
try this: the rules are processes from top to down.
So created rules on OPT1 like:

rule#1 - Action: Block - Source: OPT1net - Destination: LAN
rule#2 - Action: Allow - Source: OPT1net - Destination: any

If the first rule catches the rest of the rules is no longer considered.
Now try to connect from DMZ to LAN and you should see a "blocked" entry in your log.

I'm not sure why your precious rules does not work. I think it should

pep

Thank you guys for your replys.

Of course I want to access certain services in dmz from lan!

Gruens,
I have done what you have suggested with no luck.

try this: the rules are processes from top to down.
Interesting. In which order? I mean, can a rule in the LAN interface tab override one in the opt1 tab?

I do have the 2 following rules in the LAN tab:
BLOCK LOG * OPT1 net * LAN net * * block dmz to lan
PASS        *    *      *    *      * *

The second rule was there by default.

By the way, here is my current opt1 settings:
BLOCK LOG *  OPT1 net * LAN net * * deny dmz to lan 
PASS  LOG *  OPT1 net *  *        * * allow dmz to any

That's right, 2 redundant rules, and all dmz->lan traffic is accepted, And still nothing in the logs regarding em1.

GruensFroeschli

You can remove the block OPT1-rule on your LAN.
The rules are active when the traffic come into the firewall.
–> The rules on LAN will never be applied on traffic comming in on the OPT1-interface.

Could it be that you disabled the firewall function under System --> Advanced --> Disable Firewall?

Try removing all rules on your OPT1-Interface
If you remove all rules from your OPT1-Interface nothing should ever be able to pass anywhere.
If you still can ping anyting from within DMZ while no rules are on OPT1 then something is really strange.

pep

I have removed all rules in the opt1 interface and only kept default rule in lan, traffic still going through.

In fact, no matter what rules I set in lan and opt1 (log flag enabled), they are ignored. I can see them by "pfctl -sr", though.
syslog only reports traffic from the wan interface. "tcpdump -l -n -e -ttt -i pflog0" also only reports wan traffic.

GruensFroeschli

I'm sorry i really dont know what is wrong with your pfSense ^^"
Could it be that you updated from a previous version and during the update something went wrong?

I would try to backup your config and reinstall the whole system.
Then first try it without the backup restored and if something is blocked (as it should be) restore the backup.

cmb

post screenshots of your rules for LAN and DMZ interfaces.

modis

pfff my router have same problem

cmb

@modis:

pfff my router have same problem

Please don't hijack threads. If your firewall rules aren't working the way you want them to, you have them misconfigured. You need to start a new thread and describe your problem.