Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking traffic between networks

    Scheduled Pinned Locked Moved Firewalling
    20 Posts 6 Posters 16.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kpa
      last edited by

      You can use a /8 sure but if you ever decide to split that into multiple segments you're in for an unpleasent reconfiguration of the existing network. Also if you ever need to connect a VPN tunnel to a place that uses a 10...* subnet you're in for some real trouble. Use a /24 just like everybody else is using, least amount of hassle. Pick something else than 10.0.0.0/24 though, that is guaranteed to clash with something. A 10.x.y.0/24 where x and y are random numbers is a good choice.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        At the risk of repeating myself, if you are renumbering just stay away from anything in 10.0.0.0/8 entirely.

        Even if you use 10.rnd.rnd.0/24 you will still collide with everyone else who, like this, thought using 10.0.0.0/8 was a good idea.

        Same can be said about 192.168.0.0/24, 192.168.1.0/24 and, thanks to sonicwall, 192.168.168.0/24.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          All valid points about possible overlap/conflict with other networks on a vpn, etc.  There is also the point that you would never ever ever put 16mil hosts on the same layer 2.  So it makes zero sense to use such a mask on an actual interface.

          /8 works great for a summary route, or even a firewall rule, etc.  But on an actual interface just points to someone without clue 1 to networking in general.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            moscato359
            last edited by

            Just an idea

            Add all of the lan networks to an alias, and then have a floating rule that allows all traffic that is NOT (inverted) going to the alias destination?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Don't "block" traffic with pass rules.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                You have said that quote a few times derelict.. I don't agree.. He is not blocking with an inverted rule, your just not allowing.. The default deny on the end is what blocks ;)

                A ! rule to allow access to internet how is that any different than a block to your networks above an Any?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Because you are not blocking traffic. You are passing it.

                  If you want traffic between interfaces blocked, block it.

                  If you want to pass certain traffic and rely on the default deny rule that is fine, but using ! rules to accomplish that makes the rule set difficult to read for both humans and pf.

                  Evidence here: https://redmine.pfsense.org/issues/6799

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "If you want traffic between interfaces blocked, block it."

                    You are the ! rule is just allowing traffic to the internet or whatever the opposite of your dest is..

                    So I put

                    allow ! rfc1918.. This allows traffic to the internet..  It doesn't block anything.. It allows traffic to something other than rfc1918.. If going to an rfc1918 address that rule is not triggered and go to the next rule, etc.  If the traffic is NOT allow then it hits the default deny and is blocked.

                    How is that not better than leaving an any any rule at the end to allow traffic to the internet?  That bug is related to a VIP.. Use of a VIP on a lan side interface seems pointless to me.. In what context would you be using a vip on a lan? Other than running multiple layer 3 on the same layer 2 which is just plain borked..

                    As to reading the rule set.. Seems pretty easy to me to read the !..  If you want to put specific block above the ! rule to specifically block traffic sure ok.. Have it, it seems just adding more rules than is actually needed to get the outcome you want..  If pf has a problem reading ! rules, then it should be pulled from the ability to even create them ;)

                    If human needs help understanding the rules - put in a description.. I have for example this on my ! rfc1918 rule. "Anywhere but local Networks ipv4"  That is pretty freaking clear ;) hehehe

                    To do the specific block I would need block rfc1918, then below that either an allow any, or my allow rules for what I want, or an allow ! rfc1918 to be able to use the internet.  Because if its not allow it will be blocked by the default deny at the end, etc.

                    I hear you and agree with the statement that an explicit block is exactly that.  And I agree my ! rfc1918 allows traffic.  But it only allows to where I want the traffic to go.. Which is what every allow rule is. And either need a rule like mine or an any rule to allow traffic out to the internet.. So how exactly are you allowing traffic to the internet.. Your either doing allow any.. or using an invert of your local networks.

                    So in your example I should have to do

                    block rfc1918
                    allow ! rfc1918
                    "default deny"

                    This seems like putting in a rule for no reason just to deny access to my other networks.. Or even worse yet if do not use aliases for my network and put in every single segment as block before I do my allow ! rfc1918 anyway.. Which is better then an allow any wouldn't you say?

                    Only reason I could see for putting in such an explicit block would be if I wanted to log traffic to rfc1918 address.

                    Can agree to disagree I guess.  I think your way is just extra work and extra rules - that to me make it harder to evaluate a rule set when there are more of them, than when there are fewer of them to run through.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      This originally came up because pfBlocker adds this:

                      10.10.10.1/32 LAN  IP Alias pfB DNSBL - DO NOT EDIT

                      I do not know why he chose to put that on LAN and not localhost. Probably has a good reason.

                      I would:

                      reject rfc1918
                      allow any
                      "default deny"

                      That is another reason to use an explicit block rule, to get the reject feedback to local users.

                      Sorry I just do not like the ! rules. It just feels sloppy and lazy to me.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Don't be sorry that is for sure.. Just one of those things we are not in total agreement on.. Most of the time I am right with you on everything..

                        But in this instance while you think its sloppy and lazy, I see it as extra rules for no reason ;) heheeh

                        Reject is a good reason to do that sort of rule - this for sure I will agree with.  But I have found that end users are not looking at sniffs to figure out why something is not working to reject while it might speed up an error in the end application vs waiting for tcp timeout after retrans, etc.  Rejects don't always solve the issue.  And then again if you got some application that is banging at your door.. Why do the extra work of a reject, etc.

                        if I wanted the reject or a log then sure I would do the explicit, but vs the any I would do an allow ! rfc1918.  To me this is the rule closest I can get to the actual rule I want.  I don't want a allow any rule.  I want an allow to NOT rfc1918 address ;)

                        If your not doing the reject or a log.. Then your block rule and then allow takes two rules.  While my way accomplishes the same thing with 1 rule - where you say sloppy and lazy I say elegant and efficient - hehe

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.