Traffic through IPSec Tunnel *not* respecting firewall rules
-
So - I have a feeling this is a 'broken' behavior, and I'm likely to reboot this (production) firewall tonight at about midnight eastern time to try to resolve this, but:
-
pfSense 2.0.1-RELEASE
-
amd64
-
Virtual Machine on VMWare vSphere environment (ESXi 5.0 I believe)
This machine is handling an IPSec tunnel. Local network (10.136.1.0/24), remote network 192.168.50.0/24.
I had created firewall rules on the IPSec interface allowing only traffic from 10.136.1.31 to 192.168.50.99.
So imagine my surprise when I was able to ping everything on 192.168.50.0/24.
Eventually I replaced the rule- the only active rule in the IPSec tab - with a BLOCK * * * * * rule. Still no dice- I can ping everything.
Background info: This may have been caused by a 'disk issue' - the SAN at the datacenter this system is running at dropped connectivity briefly, meaning there are a few disk read/write errors in the logs. So - I'm guessing a reboot will fix this issue.
However- no matter what the cause, I'm kinda surprised that a failure mode would be 'passing traffic that we have excluded.' Funny!
Question 1: Do changes in the IPSec FW rules like, not apply until the tunnel drops & re-establishes?
Question 2: Do any of the devs want me to send them /tmp/rules.debug contents?
I'd like to help get some of this info, if possible, to the devs, if this is actually a case where a hardware glitch or failure causes a pfSense device to start disregarding certain FW rules!
-
-
So - the issue persists after a reboot. So now I'm concerned, heh.
-
You have the purpose of that tab confused. The rule tabs only filter in the inbound direction. Thus, your local network can never be a source on the IPsec tab, it can only be a destination.
To filter that traffic, you need to do so on the local interface where the traffic enters the firewall (e.g. LAN)
Alternately, create a rule on the floating tab, ipsec interface, quick checked, outbound direction, and then block/pass as you want.
-
Yikes! Is this behavior different than 1.2.3, or have I been building my IPSec-related firewall rules incorrectly for X years?
-
It's always been that way, since the start.
-
It's always been that way, since the start.
Woof! Who ever said you can't teach an old dog new tricks! I was always wondering why firewall rules for IPSec were defined differently than all the other interfaces - the answer being "they aren't."
Guess I lucked out that none of the IPSec tunnels I've used before actually needed restrictive rules. :-\
Thanks for the help!