Firewall Rule Help
-
Firwall rules are applied on the incoming interface. So a rule with source = LAN2net on LAN1 interface will not have any effect.
Your rule set may look like this way:
LAN1:
ID Proto Source Port Destination Port Gateway Queue Schedule Description Pass * * * LAN1 Address 80 9022 * * Anti-Lockout Rule Pass IPv4* LAN1net * 192.168.20.4 * * none DVR Block IPv4* * * RFC1918 * * none Block internal networks Pass IPv4* LAN1net * * * * none Default allow LAN1 to any ruleLAN2:
ID Proto Source Port Destination Port Gateway Queue Schedule Description Block IPv4* * * RFC1918 * * none Block internal networks Pass IPv4* LAN2net * * * * none allow InternetRFC1918 is an alias which includes all RFC 1918 networks. This will still be save if you add an additional private network in the future.
-
Interesting. I didn't know about using RFC1918 as an alias to block internal networks. I tried just using * but it didn't do what I wanted. I'll give it a shot.
Edit: Using RFC1918 results in an error of "RFC1918 is not a valid destination IP address or alias." Is it an alias I need to create?
-
Make your own similar alias using:
RFC1918
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
127.0.0.0/8 -
@KOM:
Make your own similar alias using:
RFC1918
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
127.0.0.0/8Thanks. I'd created an alias with just the 192.168.0.0/16 but you're right that it's a good idea to have them all in there. Thanks!
Edit: Wouldn't we then be saying to block even the subnet that it is on? You're saying to block anything from that subnet going to a private IP of any subnet (including its own) then block it. Would I then need a rule that says to allow from the LAN2 Net to LAN2 Net above the RFC1918 rule on the LAN2 Interface? Like:
ID Proto Source Port Destination Port Gateway Queue Schedule Description Pass IPv4* LAN2net * LAN2Net * * none Allow subnet to communicate on port -
Inter-LAN traffic doesn't hit the gateway, so pfSense would not be involved in those comms at all. pfSense and the pf firewall only come into play when the traffic is leaving the network for another.
-
@KOM:
Inter-LAN traffic doesn't hit the gateway, so pfSense would not be involved in those comms at all. pfSense and the pf firewall only come into play when the traffic is leaving the network for another.
OK. So it only affects if it goes across from one interface to another. I thought the inspection happened as the packet was received.
-
Hosts on the same subnet can find each other and talk to each other without needing a gateway. The packets are routed directly unless the destination is outside the scope of the network (subnet mask), at which point they get sent to the default gateway instead.
-
@KOM:
Hosts on the same subnet can find each other and talk to each other without needing a gateway. The packets are routed directly unless the destination is outside the scope of the network (subnet mask), at which point they get sent to the default gateway instead.
What about logging into the router? If I'm at 192.168.20.2 and the Router is 192.168.20.1 and I'm blocking all private traffic, wouldn't that request to connect to the router be rejected?
-
That is what the "Anti-lockout rule" on LAN interface is for. As you have activated "Anti-lockout" in the System > Advanced > Admin access this rule is set and you can't delete it from the rule set.
So logging in to the Web-GUI is only possible from LAN network. If you want to restrict the access to only one or a few source IPs you have to create your own anti-lockout rule and remove the check from Anti-lockout.
-
Got it. Thanks. Looking back at the things I was doing wrong, it seems I was setting the right rules on the wrong interfaces or specifying the wrong interface source. Thanks for all the help.
