When we create a rule on Floating tab, should we always check the quick option?

abdurrahman · May 17, 2013, 6:53 AM

I create firewall rules on Floating Tab when i want to apply the rule on multiple interfaces…
the interesting thing is:
On Floating Tab, if a rule is created without quick option, even if a packet matches that rule,
all of the rules below that rule are considered...
for example
my 3rd rule is :
source: 10.10.1.250
destination : any
ports: any
action : pass
quick option : not selected

my 5th rule is:
source : any
destination : 195.x.x.x
ports : any
action : block

even if a packet matches 3rd rule, the rules below the 3rd rule (4,5,6...) are considered
and for that reason when i try to connect to 195.x.x.x, firewall considers the 5th rule and doesn't permit me to connect 195.x.x.x

but if i check the quick option for 3rd rule, than if a packet matches 3rd rule, firewall omits the 5th rule...

when we create a rule on Floating tab, should we always check the quick option?

cmb · May 18, 2013, 5:08 AM

if you want the rule to immediately apply, yes.

abdurrahman · May 19, 2013, 11:11 AM

thanks a lot.

Source Book: pfSense: The Definitive Guide
Author(s) : Christopher M. Buechler, Jim Pingle

Chapter 6. Firewall
6.1. Firewalling Fundamentals
6.1.1. Basic terminology

In pfSense, rulesets are evaluated in a first match basis. This means that if you read the ruleset
for an interface from top to bottom, the first rule that matches will be the one used. Processing
stops after reaching this match and then the action specified by that rule is taken

the important point is that the rules on Floating tab must be checked as quick, if we want the basic terminology above to be true..
(if we want the processing to stop after a packet matches a rule)

@cmb:

if you want the rule to immediately apply, yes.

cmb · May 21, 2013, 1:14 AM

Floating rules didn't exist at the time that was written. New book is coming soon.

panz · Aug 14, 2013, 8:59 AM

@cmb:

Floating rules didn't exist at the time that was written. New book is coming soon.

Please, insert in the book some examples of rules we can apply to OpenVPN connections with VPN providers (like: block all Internet traffic when VPN is down; forward only provider's DNS and/or prevent DNS leaks, etc.) ::)

A step-by-step guide to all the configuration parameters needed to establish a reliable connection to a VPN provider would also be MUCH appreciated!