Floating vs Interface rules processing order

turrican64

@johnpoz said in Floating vs Interface rules processing order:

No that is not the correct order.. Again why would it go back to floating?

I don't want it to go back I want Floating to block the packet before it reaches LAN Interface rules.

https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html
"Floating Rules are parsed before rules on other interfaces."

Exactly. My block rule is in the Floating Rule therefore should block the packet before it reaches LAN Interface Rule.

"Without Quick checked, the rule will only take effect if no other rules match the traffic"
This the only rule in Floating Rules, therefore no other rules macth the traffic in the Floating Rule, so this block rule should take effect without Quick checked. Correct?

Not sure what your trying to test here?

My understanding about Quick flag

Thank you for your help by the way :)

kiokoman

@turrican64 said in Floating vs Interface rules processing order:

Floating Rules (Quick)
Floating Rules (NON Quick)
Interface Group Rules
Interface Rules

so the question is.. why the rule does not match/it's ignored if it's not set as quick?
this appear more like
1 Floating Rules (Quick) if set it work
2 Floating Rules (NON Quick) - if unset is ignored / does not match
3 Interface Group Rules
4 Interface Rules

turrican64

@kiokoman
Yes. This is my question.

kiokoman

so if we follow the logic of pf, the manual say:
If a packet matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped.
and if we think that pf does not care about the tab you have on the gui but it's only a single list of rules following a specific orde of quick/non quick rules ..
i will say that until you have rules on lan interface with quick option set (and they are always set as quick) that non quick rule will never apply.
does it make sense?

turrican64

@kiokoman

@kiokoman said in Floating vs Interface rules processing order:

so if we follow the logic of pf, the manual say:
If a packet matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped.

Correct, and this part works as it should.

and if we think that pf does not care about the tab you have on the gui but it's only a single list of rules following a specific orde of quick/non quick rules ..
i will say that until you have rules on lan interface with quick option set (and they are always set as quick) that non quick rule will never apply

Do you think pf works according the processing order I was questioning earlier:

1. Floating Rules (Quick)
2. Interface Group Rules
3. Interface Rules
4. Floating Rules (NON Quick)

kiokoman

or there is something we don't understand or there are 2 possibilities
first, pf does not honour the non-quick setting
or
rules are checked in this order
Floating Rules (Quick)
Floating Rules (NON Quick)
Interface Group Rules (Quick)
Interface Group Rules (NON Quick)
Interface Rules (Quick)
Interface Rules (NON Quick)

but applyed in this order
Floating Rules (Quick)
Interface Group Rules (Quick)
Interface Rules (Quick)
Floating Rules (NON Quick)
Interface Group Rules (NON Quick)
Interface Rules (NON Quick)

turrican64

@kiokoman
I would vote on your first option, otherwise Action:Match would not work either (since match cannot be quick)

johnpoz

There is no such thing as group or interface non quick..

The problem I think your having is your not understanding a proper use case of floating.. It is almost never going to be used with normal setups.. It is for advanced configurations.. Say for use in marking or shaping.. Or if for some reason you want to use them to apply rules to multiple interfaces - which you would then mark quick, etc.

turrican64

@kiokoman
I mean "pf does not honour the non-quick setting" in this Block scenario. If I use it with Match (in other scenarios) packets landing in correct queues.

kiokoman

@johnpoz said in Floating vs Interface rules processing order:

There is no such thing as group or interface non quick..

yes that was only teoretically speaking.

@turrican64
i will say the second, it's pf that decide the order, Action:match probably have a priority between quick and non quick
but as jonhpoz said this is not the proper use case of floating

johnpoz

Unless you have some specific thing your trying to do.. Most users will have zero need of floating rules.. They can be very complex, and can lead to stuff being allowed or blocked that you did not intend to, etc.

Please read
https://docs.netgate.com/pfsense/en/latest/book/firewall/floating-rules.html

In most situations, we advise having Quick selected. There are certain specific scenarios where leaving Quick unchecked is necessary, but they are few and far between. For most scenarios, the only rules they would have without quick selected are match rules traffic shaper rules.

Marking and Matching

Using the Tag and Tagged fields, a connection can be marked by an interface tab rule and then matched in the outbound direction on a floating rule. This is a useful way to act on WAN outbound traffic from one specific internal host that could not otherwise be matched due to NAT masking the source. It can also be used similarly for applying shaping outbound on WAN from traffic specifically tagged on the way into the firewall.

For example, on a LAN rule, use a short string in the Tag field to mark a packet from a source of 10.3.0.56. Then on a floating rule, quick, outbound on WAN, use Tagged with the same string to act on the traffic matched by the LAN rule.

kiokoman

that doc is well made
this is the part i like the most:
Floating rules can be a lot more powerful than other rules, but also more confusing, and it is easier to make an error that could have unintended consequences in passing or blocking traffic.

and this

Without Quick checked, the rule will only take effect if no other rules match the traffic. It reverses the behavior of “first match wins” to be “last match wins”.

ergo
Floating Rules (Quick)
Interface Group Rules (Quick)
Interface Rules (Quick)
Floating Rules (NON Quick)

johnpoz

The documents are quite clear, unless its all greek to you - then its just gibberish ;)

My advice to new users to firewalls and pfsense in general would be to not use the floating tab at all. Or use if for very simple things where you have a lot of interfaces, and would you would set the "quick" option.

kiokoman

to me it is clear but nevertheless i can be wrong

turrican64

@johnpoz

Please read
https://docs.netgate.com/pfsense/en/latest/book/firewall/floating-rules.html

I've read this document. It lists potential use cases, but doesn't say it is improper to use block without quick. It offer this combination but it does not work in the way as the document describes.

@kiokoman said in Floating vs Interface rules processing order:

Without Quick checked, the rule will only take effect if no other rules match the traffic. It reverses the behavior of “first match wins” to be “last match wins”.

Yes this is clear statement but my previous question about this statement regards my example rule in Floating:

This the only rule in Floating Rules, therefore no other rules macth the traffic in the Floating Rule, so this block rule should take effect without Quick checked.

If someone can answer why it is not working in my very simple case would be great otherwise I consider Action:Block, Direction: In, Quick: no, is not

a proper use case of floating..

kiokoman

i think the most simple way to understand how it work is to delete all the rules on the lan interface and use only floating and check what happen after that put back the rules on the lan and compare
but as i say it is not a proper use case of floating and you should not use it -> There are certain specific scenarios where leaving Quick unchecked is necessary, but they are few and far between.
Probably Scenario that we would not understand until we are in the middle of that.

kiokoman

found this
from jim-p
https://www.reddit.com/r/PFSENSE/comments/95z9p3/floating_rules/
*If you do not check Quick, then the rule will only activate if no other rules on any tab match the traffic. This includes rules on group and interface tabs as well as other floating rules that come after it.

Consider this: The default block rule is, effectively, a non-quick floating rule that comes before all other rules. Thus, if there are no other matching rules (or no rules at all) on an interface, the traffic is blocked by default. This is how we enact the "default block" policy for the inbound direction.

There are similar (but more complex, due to routing needs) non-quick pass out rules for traffic exiting the firewall. But since they come before the user rules, even floating rules, if you make your own non-quick floating rules that match the same traffic, your own rules will be used instead.*

some practial use
https://www.reddit.com/r/PFSENSE/comments/7r0zfn/practical_use_of_floating_rules/

turrican64

@kiokoman said in Floating vs Interface rules processing order:

found this
from jim-p
https://www.reddit.com/r/PFSENSE/comments/95z9p3/floating_rules/
*If you do not check Quick, then the rule will only activate if no other rules on any tab match the traffic. This includes rules on group and interface tabs as well as other floating rules that come after it.

Thank you kiokoman. This supports the previous theory about the processing order

1. Floating Rules (Quick)
2. Interface Group Rules (always Quick)
3. Interface Rules (always Quick)
4. Floating Rules (NON Quick)

However this raises again the question, what about Action:Match (used for traffic shaping for example) which can be only Floating+NON Quick? If those rules would processed after everything they weren't work in many cases.

Derelict

There is no sense to put quick on a match rule. It doesn't pass traffic so if processing stops there the traffic will be blocked anyway.

Rules are processed in order whether or not quick is set. The difference is that processing stops when a quick rule is matched whether the rule passes or blocks the traffic. No other rules are processed.

With a rule without quick set, they take effect at the END of the rule set (though they are set in the order they are in the rule set.) If any other rule matches that has quick set processing stops so the end of the rule set is never reached so the rule without quick set never takes any action on the packet.

Take, for example, the default deny rules:

block in log inet all tracker 1000000103 label "Default deny rule IPv4"
block out log inet all tracker 1000000104 label "Default deny rule IPv4"

These are very high in the rule set and do not have quick set. They set every packet to be blocked in or out of any interface. When all the other rules have been processed and the end of the rule set is reached and no other rule has changed the behavior and passed or blocked it, then that action is taken and the packet is dropped.

turrican64

@Derelict said in Floating vs Interface rules processing order:

There is no sense to put quick on a match rule.

Yes, and the pfsense book confirms it as well: "Match rules do not work with Quick enabled."

With a rule without quick set, they take effect at the END of the rule set (though they are set in the order they are in the rule set.) If any other rule matches that has quick set processing stops so the end of the rule set is never reached so the rule without quick set never takes any action on the packet.

Based on your comment above, for example: I have a rule in the
LAN Interface Rules (always Quick) allow dst 10.0.0.1
and I also want to direct the same packets to a particular queue therefore I create a similar rule in the
Floating rules (NON Quick) match in dst 10.0.0.1

Does it mean that the NON Quick Floating rule will be never evaluated because the LAN Interface rule allows the packets and the processing stops there?

Thank you!