Pfsense Firewall for Dummies
-
I wanted to write a document clarifying the firewall in Pfsense, because I believe it is one of the most important aspects of pfsense to understand; everything relies on the proper rules. Unfortunately, it has come to my attention I do not know how to use them myself. I am trying to clarify this once and for all so I (and others) must no longer be ambiguous on what rule to create, I can just think of a scenario and know the proper rule.
Note: In the first screenshots, "Accesspoint Net" is OPT2
1) I am under the impression that firewall rules apply inbound on an interface. So logically these rules make sense to me:
LAN:
OPT
Yet they do not work.
2) Another way I have looked at this: packets enter pfsense's LAN from client machines (source: any), and asks the firewall, can I go to OPT? Logically, to me this says yes:
LAN
The packets are allowed in to the OPT interface. So traffic enters pfsense's OPT interface from the LAN client machines, destined for clients on it (destination: any) and asks the firewall, is my traffic accepted? Logically, to me this says yes:OPT
The packets arrive at their destination and a reply is sent. The packets go out of OPT and back in to the LAN, where they once again ask, is my traffic accepted? Logically, to me, this says yes:LAN
Yet these do not work either.
- I have created a set of rules that would logically allow TCP/UDP and ICMP from OPT1. These work. I have created an absolutely identical set of rules for OPT2 and these fail:
http://i427.photobucket.com/albums/pp360/xtropx/LAN_RULES1.png
http://i427.photobucket.com/albums/pp360/xtropx/OPT1RULES1.png
http://i427.photobucket.com/albums/pp360/xtropx/OPT2RULES1.png
Any assistance anyone can offer in helping clarify this huge part of pfsense would be invaluable both to me and those who come to the forums searching for answers on how to understand the pfsense firewall. Thanks in advance.
- I have created a set of rules that would logically allow TCP/UDP and ICMP from OPT1. These work. I have created an absolutely identical set of rules for OPT2 and these fail:
-
**1) I am under the impression that firewall rules apply inbound on an interface.
They do, you have the source and destination backwards though. Traffic hitting the LAN rules will only be sourced from the LAN subnet. Read the firewall chapter in the book for detailed explanation. http://pfsense.org/book
The basics are covered here.
http://doc.pfsense.org/index.php/Firewall_Rule_Basics**