Firewall rules issues
-
I have the latest stable version of PFsense working Lan to Wan but only if the default permit anything rules for ipv4 and ipv6 are also enabled even though they are not passing traffic.The other rules are above them
If I disable the or add an implicit deny rule above them everything stops working until they are re-enabled . As this is a firewall that can't be correct so please someone tell me what am I doing wrong.I have experience of Fortigate/cisco and they have an implicit deny as default after the last rule.
Please point me in the right direction I am not sure what to look for
-
You're going to need to take a screenshot of your LAN firewall rules and either post it directly into the thread here, or post it online somewhere and provide a link to the image. We can't help fix it if we don't know what you've got setup in there.
Also, why don't you go back to the basics. You mention "other rules are above them" and not passing traffic. You should turn these off temporarily - disable them, then see if you can get anything working. If so, the problem lies somewhere in the rules you have added above the default "allow any rule" on the LAN interface.
Jeff
-
the default for the LAN and only for the LAN interface is to permit all
rules are evaluated from top to bottom, the first rule that match the traffic will apply the other are discarded/ignoredthat said, post a screenshot of what you are doing eventualy
-
Hi,I am aware that the rules are top down as with most firewalls but when I disable the 2 default rules (ipv4 and ipv6) at the bottom of the list the firewall stops passing traffic LAN to Wan.If I re-enable them it works again.
I want an explicit deny at the bottom of all the rules for obvious reasons,if I put one in that also breaks things.I feels like "nating" stops working.
With the default rules enabled everything works and due to top down nature of firewall rules the other rules are passing the traffic as you would expect.
The firewall is work in progress but I want it to become my main firewall eventually, which is why I cant leave the default allows in place.
thia
-
you don't have a rule for udp 53
probably dns stop working if you remove the last 2 entry -
Exactly, DNS can either be TCP or UDP or a combo of both. I don't know exactly, but the linked article at the bottom spells it out.
Change rules number 5 and 8 to be both TCP and UDP protocols and see if traffic moves like normal.
DNS or other Services works on both TCP and UDP:
https://support.microsoft.com/en-us/help/556000Jeff
-
Thanks guys that's the issue made the DNS entries tcp/udp all is now working including the default
deny rule. This is very embarrassing, I am a retired Cisco engineer with 20 years of networking experience and I did not notice that. -
@Grindey said in Firewall rules issues:
This is very embarrassing, I am a retired Cisco engineer with 20 years of networking experience and I did not notice that.
Well, that's it then... off to the stocks with you! LOL
Jeff
