[SOLVED] Curious Floating Rules Behavior
-
"pass out" is the exact logic expression written in the /temp/rules.debug file when you create an OUTBOUND only floating point rule.
-
Right. Pass traffic going out an interface.
It is usually used to block traffic (or match traffic for shaping, etc) since if the traffic is passed into pfsense in the first place it is passed on the way out unless blocked. It is generally accepted that the best place to block traffic is before it enters the firewall at all. (on the inbound interface).
-
No, it controls traffic in the outbound direction on that interface. It has zero to do with whether the interface is considered to be "inside" or "outside" as is generally referred to in firewall/ASA terms.
The second example in that test sheet confirms pfsense does not behave that way. Anyone can prove it to themselves by simply 1) starting with a factory install of pfsense 2), place two machines on two different interfaces, 3) create a floating rule specifying the LAN only (this is key because you're testing how pfsense processes OUT vs IN packets), all Ipv4, enabled quick match, and action of drop, 4) on the OPT interface, create a normal rule under the interface tab to pass all traffic ANY to ANY (which ensures pfSense's default policy of drop doesn't interfere with the test). Then simply test all three directions (all, in, out) by passing a packets from the OPT station to the LAN and vice versa.
When testing the OUT direction on the floating rule, packets originating from the OPT to the LAN station DROP - because they are OUT[side] relative the the LAN.
When testing the ANY direction on the floating rule, packets originating from the OPT to the LAN station DROP - because they include packets that are OUT[side] relative the the LAN.
When testing the IN direction on the floating rule, packets originating from the OPT to the LAN station PASS - because they are not OUT[side] relative the the LAN (i.e. the rule simply doesn't apply).
Remember, the floating rule didn't even specify the OPT at all - thus "OUT[bound]" couldn't possibly be "OUT[bound]". The second test proves this, that the floating rule does not process packets as being "OUT[bound]" but rather OUT[side] (i.e. the direction of the packet relative to the interface that's been selected in the floating rule's config.)
-
Right. Pass traffic going out an interface.
It is usually used to block traffic (or match traffic for shaping, etc) since if the traffic is passed into pfsense in the first place it is passed on the way out unless blocked. It is generally accepted that the best place to block traffic is before it enters the firewall at all. (on the inbound interface).
Pehaps that's the intent but is not how pfsense behaves.
-
"Remember, the floating rule didn't even specify the OPT at all - thus "OUT[bound]" couldn't possibly be "OUT[bound]"."
Its not outbound of the opt interface its OUTBOUND of the LAN interface… Why does this concept cause people so much pain??
Pfsense has interface - lan.. If the traffic is from the lan toward pfsense then its INBOUND or ingress to that interface... If its into the LAN from direction of pfsense then its outbound from the interface, or egress.. This is how every single interface works on any device be it router or switch.. Please look up ingress and egress in networking terms..
Attached is simple drawing...
The red arrows are inbound traffic to the specific interface (ingress), green is outbound (egress)..
So if you have PC on lan that sends SYN to IP on OPT.. That syn would be in to the lan nic.. And out of the opt nic.. These are the 2 places where you could put rules.. To do the inbound rule just place the traffic on the lan interface. If you want to stop traffic from going out the opt, then you would need to put that on floating tab picking out of the opt interface..
Its always best to block the traffic before it actually enters the firewall.. Why process the packet all the way through pfsense just to stop it from leaving the opt interface.. Just drop it as it tries to enter at the lan..
if you wanted to save yourself time in creating rules.. And you knew say that you didn't want lan, opt, optX, optY etc.. going out to internet on 53... Then you could put a floating rule on wan interface outbound direction blocking 53.. Now if lan or lop sent traffic it be dropped on the oubound direction of the wan interface.
-
"Remember, the floating rule didn't even specify the OPT at all - thus "OUT[bound]" couldn't possibly be "OUT[bound]"."
Its not outbound of the opt interface its OUTBOUND of the LAN interface… Why does this concept cause people so much pain??
Pfsense has interface - lan.. If the traffic is from the lan toward pfsense then its INBOUND or ingress to that interface... If its into the LAN from direction of pfsense then its outbound from the interface, or egress.. This is how every single interface works on any device be it router or switch.. Please look up ingress and egress in networking terms..
Attached is simple drawing...
The red arrows are inbound traffic to the specific interface (ingress), green is outbound (egress)..
So if you have PC on lan that sends SYN to IP on OPT.. That syn would be in to the lan nic.. And out of the opt nic.. These are the 2 places where you could put rules.. To do the inbound rule just place the traffic on the lan interface. If you want to stop traffic from going out the opt, then you would need to put that on floating tab picking out of the opt interface..
Its always best to block the traffic before it actually enters the firewall.. Why process the packet all the way through pfsense just to stop it from leaving the opt interface.. Just drop it as it tries to enter at the lan..
if you wanted to save yourself time in creating rules.. And you knew say that you didn't want lan, opt, optX, optY etc.. going out to internet on 53... Then you could put a floating rule on wan interface outbound direction blocking 53.. Now if lan or lop sent traffic it be dropped on the oubound direction of the wan interface.
This is my lab hanging on my wall in which I conducted these tests. The raspberry pi sits on the OPT1 (circled) and a laptop (unseen in the photo) is the LAN. When packets from the PI (OPT1) were sent to the laptop (LAN), they dropped per the rules I described because the direction they traveled were OUTside relative the LAN (remember the LAN is the only interface selected in the Floating rule for these tests). "OUT" cannot possibly be "OUTbound"
-
The red arrows are inbound traffic to the specific interface (ingress), green is outbound (egress)..
Per the drawing you posted, the green arrow on the LAN supports my tests and it's conclusion that packets are treated per the direction of their movement relative to the interface selected. This is the exact opposite of citing the packets as "egressing" per your own drawing. I agree 100% with the drawing you posted, but realize that the green arrow you have for the LAN is NOT "egress" at all - its OUTside (i.e. relative to the interface).
Specifically, citing "green is outbound (egress).." is a total contradiction to the drawing you posted. That green arrow is not "OUTbound", it is OUTside relative the the LAN.
-
When testing the OUT direction on the floating rule, packets originating from the OPT to the LAN station DROP - because they are OUT[side] relative the the LAN.
When testing the ANY direction on the floating rule, packets originating from the OPT to the LAN station DROP - because they include packets that are OUT[side] relative the the LAN.
When testing the IN direction on the floating rule, packets originating from the OPT to the LAN station PASS - because they are not OUT[side] relative the the LAN (i.e. the rule simply doesn't apply).
You are simply not getting it. The reason the packets are dropped in the first two examples is because your floating rule catches the traffic (actually the state creation) as it leaves the LAN interface OUTBOUND.
The reason the packets are not dropped in the third case is because the state creation is inbound on OPT1 (passed by the any/any rule there) and outbound on LAN. Your floating rule here is for LAN inbound. That would catch states created BY LAN hosts (LAN in), not TO LAN hosts (LAN out).
-
The reason the packets are dropped in the first two examples is because your floating rule catches the traffic (actually the state creation) as it leaves the LAN interface OUTBOUND.
Cannot possibly be correct because the packet didnt "leave" the LAN at all - that was the whole point of the test. They "left" the OPT1 and matched the floating rule because it was OUTside relative to the interface.
-
Of course they didn't leave LAN. They were blocked by the firewall so the state was never created.
Let's get some terminology clear:
inside/outside
LAN/Trusted –- inside --- FIREWALL --- outside --- Internet/Untrusted
inbound (ingress) / outbound (egress)
inbound --->|
| Interface
outbound <-- -
Of course they didn't leave LAN. They were blocked by the firewall so the state was never created.
Let's get some terminology clear:
inside/outside
LAN/Trusted –- inside --- FIREWALL --- outside --- Internet/Untrusted
inbound (ingress) / outbound (egress)
inbound --->|
| Interface
outbound <--The drawing posted by johnpoz is spot on. However, it seems you guys both believe that "OUT" means "OUTbound" (or egress). "OUT" is the direction of packets relative to the interface, its is not "egress" at all.. So in my case, packets sent from the raspberry pi were OUTside relative to the LAN.
-
OUTSIDE is a location
OUTBOUND is a direction -
OUTSIDE is a location
OUTBOUND is a directionWhatever the case, "OUT" is neither egress traffic nor is it "OUTbound" traffic. It is traffic that is relative to the interface thats been selected. I agree with johnpoz's drawing 100%.
-
Exactly. You seem to confuse ingress/egress with inside/outside. That is only true when you are talking about the WAN interfaces.
Traffic from LAN hosts INGRESSES the firewall on its way INBOUND into the LAN interface. Reply traffic for those connections EGRESSES the LAN interface on its way back OUTBOUND to the LAN hosts - relative to the LAN interface.
The only problem here is your failure to properly comprehend these terms in English as they relate to common usage when describing firewall behavior.
There is nothing at all curious about the floating rule behavior you have described.
-
Exactly. You seem to confuse ingress/egress with inside/outside. That is only true when you are talking about the WAN interfaces.
The drawings and tests I performed are 100% on. The confusion regarding IN,OUT,ANY direction is because of people citing it OUT as OUTbound/egress traffic when it is not.
Traffic from LAN hosts INGRESSES the firewall on its way INBOUND into the LAN interface.
Agree 100%
Reply traffic for those connections EGRESSES the LAN interface on its way back OUTBOUND to the LAN hosts - relative to the LAN interface.
Test # 2 was the complete opposite and while I agree with your use of terms, the 'EGRESS" traffic you're referring to has nothing to do with the OUT direction.
The only problem here is your failure to properly comprehend these terms in English as they relate to common usage when describing firewall behavior.
This is as backwards as the terms being discussed. EGRESS has nothing to do with OUT under floating rules.
There is nothing at all curious about the floating rule behavior you have described.
I didn't…
-
The drawings and tests I performed are 100% on. The confusion regarding IN,OUT,ANY direction is because of people citing it OUT as OUTbound/egress traffic when it is not.
Yes it is, relative to the interface. That is why you select an INTERFACE and a DIRECTION RELATIVE TO THAT INTERFACE.
-
The drawings and tests I performed are 100% on. The confusion regarding IN,OUT,ANY direction is because of people citing it OUT as OUTbound/egress traffic when it is not.
Yes it is, relative to the interface. That is why you select an INTERFACE and a DIRECTION RELATIVE TO THAT INTERFACE.
OUT is not "egress/outbound" traffic. Think about what you're saying above. If you agree with me that that OUT,IN,ANY are DIRECTION(s) RELATIVE TO an INTERFACE selected, then you cannot possibly say that "OUT" is egress or outbound without contradicting yourself. "OUT" is not outbound traffic
-
I am done. Someone else's turn.
-
I am done. Someone else's turn.
I think you have finally seen the difference and might be too proud to admit it. Don't beat yourself up because I confused "OUT" as being associated with OUTbound/egress for years until I finally sat down and went through those tests I posted. I see you and johnpoz have many postings in these forums and its great to have people actively helping one another. Don't get flustered. And dont be too proud to admit you might have learned something new in this discussion.
-
Sigh.
