How is it that I can reach an interface with no firewall rules?
-
As you can see from the pics I have no rules on the CamNet Interface (192.168.3.1/24). How is that I am able to ping a device on that network and receive a response?
(The attached pic is from a ping ran immediately after the pfsense device was rebooted fresh.)
![Screen Shot 2017-03-28 at 10.03.13 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-28 at 10.03.13 PM.png_thumb)
![Screen Shot 2017-03-28 at 10.03.13 PM.png](/public/imported_attachments/1/Screen Shot 2017-03-28 at 10.03.13 PM.png)
![Screen Shot 2017-03-28 at 9.58.55 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-28 at 9.58.55 PM.png_thumb)
![Screen Shot 2017-03-28 at 9.58.55 PM.png](/public/imported_attachments/1/Screen Shot 2017-03-28 at 9.58.55 PM.png) -
Because you have a rule on LAN that permit it. And the statefull firewall does the rest
-
Same way that your WAN works without rules.
-
PfSense allows outbound traffic on interfaces by default, your ping matches that description for the CAMNET interface and the state created by the outgoing ping will allow the echo reply coming from the device back in. To control outbound traffic on interfaces you'll need to use floating rules.
-
I am pinging from a completely different network, the LAN 192.168.1.1. Shouldn't the 192.168.3.1 network not allow a ping to enter it? "All incoming connections will be blocked…"
Or is this not the case?
Same way that your WAN works without rules.
But if I'm not mistaken the WAN blocks all unsolicited requests. Nothing on my 192.168.3.1 interface is soliciting the ping.
-
Read the fine docs. Rules are applied on interface where the packets first hit the firewall. I.e., LAN in your case.
-
Read the fine docs. Rules are applied on interface where the packets first hit the firewall. I.e., LAN in your case.
I guess the "All incoming connections will be blocked…" is throwing me...
-
I am pinging from a completely different network, the LAN 192.168.1.1. Shouldn't the 192.168.3.1 network not allow a ping to enter it? "All incoming connections will be blocked…"
Or is this not the case?
Same way that your WAN works without rules.
But if I'm not mistaken the WAN blocks all unsolicited requests. Nothing on my 192.168.3.1 interface is soliciting the ping.
Yes but the WAN interface only blocks unsolicited incoming traffic. By default the WAN interface allows outgoing traffic which makes it possible to ping internet hosts from your LAN without any rules on the WAN interface. The exact same thing is happening here with your 192.168.3.1 interface and the network connected to it.
What doktornotor is saying above is correct but the whole picture is a bit more complicated. The rules are applied every time an IP packet either enters or leaves and interface. It just happens with the default policies set in pfSense that the packets leaving an interface are let go without any restrictions, hence allow all policy in outgoing direction.
-
I guess the "All incoming connections will be blocked…" is throwing me...
Yeah, that's not the interface that applies. Traffic from LAN uses rules on LAN.
-
@kpa:
I am pinging from a completely different network, the LAN 192.168.1.1. Shouldn't the 192.168.3.1 network not allow a ping to enter it? "All incoming connections will be blocked…"
Or is this not the case?
Same way that your WAN works without rules.
But if I'm not mistaken the WAN blocks all unsolicited requests. Nothing on my 192.168.3.1 interface is soliciting the ping.
Yes but the WAN interface only blocks unsolicited incoming traffic. By default the WAN interface allows outgoing traffic which makes it possible to ping internet hosts from your LAN without any rules on the WAN interface. The exact same thing is happening here with your 192.168.3.1 interface and the network connected to it.
The ping is outgoing from the 192.168.1.1 network and incoming on the 192.168.3.1 network, no? I read "All incoming connections will be blocked…" as with no rules on the 192.168.3.1 interface the ping from 192.168.1.1 network should be blocked.
-
@kpa:
I am pinging from a completely different network, the LAN 192.168.1.1. Shouldn't the 192.168.3.1 network not allow a ping to enter it? "All incoming connections will be blocked…"
Or is this not the case?
Same way that your WAN works without rules.
But if I'm not mistaken the WAN blocks all unsolicited requests. Nothing on my 192.168.3.1 interface is soliciting the ping.
Yes but the WAN interface only blocks unsolicited incoming traffic. By default the WAN interface allows outgoing traffic which makes it possible to ping internet hosts from your LAN without any rules on the WAN interface. The exact same thing is happening here with your 192.168.3.1 interface and the network connected to it.
The ping is outgoing from the 192.168.1.1 network and incoming on the 192.168.3.1 network, no? I read "All incoming connections will be blocked…" as with no rules on the 192.168.3.1 interface the ping from 192.168.1.1 network should be blocked.
No, you have the directions royally mixed up. The ping coming from your LAN is incoming on the LAN interface and it is outgoing when it leaves the pfSense router/firewall towards the 192.168.3.0/24 network via the network interface that holds the 192.168.3.1 IP address.
Always think the directions from the point of the individual interfaces, that's where the filtering happens.
The other way of looking at ís to place yourself right at the heart of the pfSense system, all network interfaces connected to the system are "doors" and the doors have an in direction and an out direction which should be very natural to everyone.
-
@kpa:
@kpa:
I am pinging from a completely different network, the LAN 192.168.1.1. Shouldn't the 192.168.3.1 network not allow a ping to enter it? "All incoming connections will be blocked…"
Or is this not the case?
Same way that your WAN works without rules.
But if I'm not mistaken the WAN blocks all unsolicited requests. Nothing on my 192.168.3.1 interface is soliciting the ping.
Yes but the WAN interface only blocks unsolicited incoming traffic. By default the WAN interface allows outgoing traffic which makes it possible to ping internet hosts from your LAN without any rules on the WAN interface. The exact same thing is happening here with your 192.168.3.1 interface and the network connected to it.
The ping is outgoing from the 192.168.1.1 network and incoming on the 192.168.3.1 network, no? I read "All incoming connections will be blocked…" as with no rules on the 192.168.3.1 interface the ping from 192.168.1.1 network should be blocked.
No, you have the directions royally mixed up. The ping coming from your LAN is incoming on the LAN interface and it is outgoing when it leaves the pfSense router/firewall towards the 192.168.3.0/24 network via the network interface that holds the 192.168.3.1 IP address.
Always think the directions from the point of the individual interfaces, that's where the filtering happens.
Ah, I got it. The ping is outgoing from the machine I sent it from and incoming to the LAN interface at the firewall. It is then outgoing from the LAN interface to the 192.168.3.1 interface, correct?
If I have that correct then, I have to put a rule on all interfaces blocking all access to the 192.168.3.1 interface to isolate it, correct?
Additionally, all devices on the 192.168.3.1 network are blocked from reaching any other network due to there being no rules on the 192.168.3.1 interface, correct?
-
@kpa:
@kpa:
I am pinging from a completely different network, the LAN 192.168.1.1. Shouldn't the 192.168.3.1 network not allow a ping to enter it? "All incoming connections will be blocked…"
Or is this not the case?
Same way that your WAN works without rules.
But if I'm not mistaken the WAN blocks all unsolicited requests. Nothing on my 192.168.3.1 interface is soliciting the ping.
Yes but the WAN interface only blocks unsolicited incoming traffic. By default the WAN interface allows outgoing traffic which makes it possible to ping internet hosts from your LAN without any rules on the WAN interface. The exact same thing is happening here with your 192.168.3.1 interface and the network connected to it.
The ping is outgoing from the 192.168.1.1 network and incoming on the 192.168.3.1 network, no? I read "All incoming connections will be blocked…" as with no rules on the 192.168.3.1 interface the ping from 192.168.1.1 network should be blocked.
No, you have the directions royally mixed up. The ping coming from your LAN is incoming on the LAN interface and it is outgoing when it leaves the pfSense router/firewall towards the 192.168.3.0/24 network via the network interface that holds the 192.168.3.1 IP address.
Always think the directions from the point of the individual interfaces, that's where the filtering happens.
Ah, I got it. The ping is outgoing from the machine I sent it from and incoming to the LAN interface at the firewall. It is then outgoing from the LAN interface to the 192.168.3.1 interface, correct?
If I have that correct then, I have to put a rule on all interfaces blocking all access to the 192.168.3.1 interface to isolate it, correct?
Additionally, all devices on the 192.168.3.1 network are blocked from reaching any other network due to there being no rules on the 192.168.3.1 interface, correct?
Yes, almost all true but the incoming ping on the LAN interface stops having a direction (in the sense we are talking here) once it has been processed by the filtering. It enters the system and is put into a queue for other processing such as routing and when routing is finished figuring out where to send it the ping becomes an outgoing packet on the 192.168.3.1 interface.
-
You wouldn't block to the 192.168.3.1 interface if you don't want say lan to talk to 192.168.3/? You would block to the network not pfsense interface directly.. If you did lan wouldn't be able to ping 192.168.3.1 but it could still ping 192.168.3.14 for example.
You can use the built in net alias for whatever you call your 192.168.3 – camnet net would be the drop down alias available in the rules.
This question seems to come up now and then where users don't seem to grasp the basic concept of where and how rules apply.
Think of the rules you apply on the interfaces of pfsense as doormen standing in front of the door with their backs to pfsense and looking out into the network pfsense is attached too. As a packet tries to enter pfsense the doorman looks on their list - allowed or not.. And let the packet into pfsense.
As the packet then tries to Leave pfsense to go to some other network be it wan or or another lan side network he would come up from behind the doorman and be allowed since the other doorman let him in. While he is in pfsense he gets a pass (entry in the state table) so that when their is an answer that answer is allowed.
If you want to have doormen looking as packets come into and interface and or leave an interface you would have to use the floating rules and pick the outbound direction. But this is rare that such a thing would be needed.
You are correct if you do not want lan or opt1 network from going to your camnet network - then rules should be place on lan and opt1 to prevent them from going to where you do not want them to go in camnet.
These rules on lan and opt1 should be place in the correct place top down. Rules on an interface are evaluated from top down, first rule to fire wins - no other rules are looked at.
-
OK, I understand it now, thanks for all the help.