Not sure what to do, looking for some help and guidance
-
By default pfSense allows out all traffic from LAN so I assume you have added rules to lock that down?
Exactly what traffic is failing? Do you see it blocked in the firewall log?
Steve
-
As stated out of the box pfsense is any any outbound, so your lan devices could go anywhere you want. If your wanting to restrict that your going to have to post your rules and explain what you want to do exactly.
-
@stephenw10 said in Not sure what to do, looking for some help and guidance:
By default pfSense allows out all traffic from LAN
When did that change!? Since the beginning of pfsense the default is to block everything [Edit] that not match traffic in a defined rule [/Edit]. There is even a log setting to show/hide logs from default block rule.
-
@bepo said in Not sure what to do, looking for some help and guidance:
@stephenw10 said in Not sure what to do, looking for some help and guidance:
By default pfSense allows out all traffic from LAN
When did that change!? Since the beginning of pfsense the default is to block everything [Edit] that not match traffic in a defined rule [/Edit]. There is even a log setting to show/hide logs from default block rule.
This needs bit more qualification. The default policy on pfSense is to block everything coming in on an interface if there are no rules present for that interface. This holds for every interface on the system. However, the LAN interface has always been a special case. By default out of the box the LAN interface has an allow all rule that overrides this default policy for LAN to be allow all incoming connections anywhere on the LAN interface. This is to make it relatively easy to start using pfSense but without compromising too much security. The LAN interface also has a hidden anti-lockout rule that allows you to access your pfSense via the WebGUI or by SSH even if you disable all the other rules on the LAN interface.
-
They have not changed anything.
Since the very beginning default lan rule has always been ANY ANY.. Ie a device on the lan can go anywhere it wants.
Default wan rules are deny all, ie no rules - and default deny. Just like the all interfaces, but LAN has any any rule in place.
Now if you create a optX interface it will have NO rules and default deny.
This has been this way since day 1, nothing has changed here.
-
ok so i am i am using Malwarebytes cloud. They have a set of URL like https://example.com and it is hosted by AWS.
So today https://example.com ip is 1.1.1.1.
tomorrow https://example.com ip is 2.2.2.2i need my lan traffic to hit https://example.com but i only want it to hit https://example.com
In the past i have just used an the ip address or the ip block to allow my lan traffic to the outside world. I am not sure not can i seem to figure out how to do this with a URL instead or an IP
-
@bepo said in Not sure what to do, looking for some help and guidance:
By default pfSense allows out all traffic from LAN
When did that change!? Since the beginning of pfsense the default is to block everything [Edit] that not match traffic in a defined rule
Every firewall I've ever worked on, including pfSense is default allow for outgoing traffic. There are even some where you have to create rules to block incoming. For example, with Cisco Access Control Lists (ACL) there is none in either direction, until you create one. Then, and only then, is there even a default block all. You'd then edit the ACL to create whatever rules you need.
-
So you are blocking LAN traffic to everywhere except IP you explicitly allow?
Normally you could just use the URL in an alias but for something like AWS that's unlikely to work as the alias is populated when the ruleset is generated only. Whatever IP it resolves to then may not be the same by the time clients try to connect.
If you're lucky Malwarebytes might provide a list you can use.
Steve
-
Yeah, pfSense does block all. But as mentioned the default ruleset includes an allow rule on LAN. On other interfaces though all traffic is blocked unless explicitly allowed.
Steve
-
Post up your rules on your lan... If you only want to allow site https://whatever.domain.tld then you could use an alias to resolve that FQDN.
And only allow access to that alias above where you block.. Rules are evaluated top down, first rule to trigger wins no other rules evaluated.
Problem you can have with sites that change IP is the alias is only resolve like every 5 min or something, so if IP changes during when alias has old address you could have issues, etc.
When looking to allow/block based upon a fqdn is normally cleaner to use a proxy that can do rules based upon the url vs with a firewall that blocks based upon IP.
-
Thank you all for answering me. You´re completely right. I forgot there is a any any rule per default. What i meant was if there is NO rule anything is blocked. Sorry for misunderstanding.