Multiple LAN Firewalling

ptt

If you want to Block traffic from the "LAN Net" to the "SIP Net"  you must create the "Block Rule" in the LAN interface Tab ;)

The "Block all from LAN" Rule is useless in "SIP" it Must be in "LAN"

"Normal" (not Floating) FW Rules are applied "on ingress" and are "evaluated/processed" from Top to Bottom, and "First Match wins"

geudrik

@ptt:

If you want to Block traffic from the "LAN Net" to the "SIP Net"  you must create the "Block Rule" in the LAN interface Tab ;)

The "Block all from LAN" Rule is useless in "SIP" it Must be in "LAN"

FW Rules are applied "on ingress"

Wat. I understand the first part, but wouldn't that be egress? If I have to block LAN->SIP traffic on my LAN interface, that's traffic that's leaving the LAN interface. Which seems very, very backwards.

Just to clarify, this means that I cannot block on incoming traffic, only outgoing, correct?

ptt

You "Block or Pass" traffic that "ingress" to the interface with a "certain" destination

geudrik

@ptt:

You "Block or Pass" traffic that "ingress" to the interface with a "certain" destination

Yes, I understand that. What I'm asking though is that if I want to drop traffic coming from my LAN network and going into my SIP network, why then am I blocking that traffic on my LAN interface? That would be egress filtring, not ingress. Ingress filtering would be applied by SIP network/interface (in this example).  :o

I don't mean to come across as argumentative, but this is not making any sense to me what so ever (I'm a linux guy, not BSD, for what it's worth) :S  When I spin up firewall rules, they're blocked on the incoming interface, not outgoing.

ptt

To block traffic from a LAN host to a SIP host, you create the Rule on LAN, and that rule "Block" traffic that "ingress" from the LAN host to the LAN interface, and have the SIP host/network as destination

openletter

If I have to block LAN->SIP traffic on my LAN interface, that's traffic that's leaving the LAN interface

Actually, that's traffic entering the LAN interface. ;)

ptt

Some "Reading" about FW rules ;)

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

https://doc.pfsense.org/index.php/What_are_Floating_Rules

johnpoz

Why does this concept confuse so many users??  Place yourself in the firewall..  Look at your interfaces connected to you – if someone on lan wants to go to sip.  What is the first interface they hit?  Where do you want to stop the traffic?  That is the interface you place the rule

Before you process the packet and then say oh wait that shouldn't go out the sip interface..  Or before it enters the firewall?

Think of it this way - the interface connected to the source of the traffic is where you place the rule.  If you don't want lan going somewhere you put it on the lan interface, if you don't want boxes on the sip going somewhere then you place the rules on the sip interface.  If you want or don't want stuff from the internet to talk to your pfsense wan or stuff behind pfsense where would you put the rule?

geudrik

Yea, it makes sense now, though it's somewhat of a pain IMO. I wound up having a chat with some friends earlier about this .. not sure why this was such a hassle for me to make sense of initially.

It would be nice to see a way to add rules across multiple interfaces. The perk to doing it the other way is minimizing the rules you have to write. For example, if you've got five or six vlans that all need to be segregated, it's a hassle to have to (for each one), firewall off the others.

johnpoz

"It would be nice to see a way to add rules across multiple interfaces."

Its called the floating tab.

geudrik

So, for what it's worth, the issue that I wound up having was entirely mental. Firewalling isn't an inherently difficult concept, but the way that pfSense presents it is what threw me for a loop.

Firewall Rules (not WAN or Floating)
If you're a Linux person like me, you've likely used to iptables.

Generally, you use the input chain for rudimentary firewalling because your boxes reside near an edge or are directly connected (at least, that's my use case). That being the case, it only makes sense to use input more heavily than output. So from that perspective, trying to firewall in pfsense makes next to zero sense/is confusing (I'm not talking about the floating tab or NAT rules).

Given that the majority of my firewalling has been via iptables, the better way for me think about firewalling on pfsense is to think about it like I'm using the output chain. Your source will likely always be that an address on that network, with a destination being what ever.

NAT Rules
They work the same way as your input chain does

Floating Rules
Haven't had enough time to really play with them yet

Hopefully this offers some clarity to someone.