Deny Any Rule Ignored
-
I installed a new pfsense firewall with 3 interfaces {wan,home,redcloud}; redcloud aka 'my lab'. To ensure I could test port connections properly, I put a deny any rule in redcloud as the top entry. However, I can still ping & ssh from home to redcloud. Apparently, it is ignoring the deny any rule. There are no 'floating' rules.
I also verified that interfaces are all tagged vlans to prevent any layer 2 slippage.
-
@shaker242 said in Deny Any Rule Ignored:
However, I can still ping & ssh from home to redcloud.
Still a newbie?
You should look into the pfSense book before adding rules to see how it works: https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.htmlFilter rules on the interface tabs are only applied on incoming traffic into the respective interface.
So if you want to block access from home to redcloud add a rule to the home tab and set the destination to "redcloud net". -
Got it, so there's no blocking on the incoming interface like other firewalls. Thanks.
-
@shaker242 said in Deny Any Rule Ignored:
Got it, so there's no blocking on the incoming interface like other firewalls. Thanks.
No there is blocking on the INCOMING interface!! As the traffic enters pfsense is where you block traffic... Why should you wait til traffic has already gone through pfsense to then say oh wait you can't go into that network..
If you want to block outgoing traffic you can do that on the floating tab, but it is not efficient way to do it..
So do you block the guy from entering the house that says hey I want to go to the back yard - or do you let him in the front door, let him walk across the living room, into the kitchen then only when he goes to leave the back door into the back yard - hey wait a minute you not allowed in there..
Better to not even let him in the house.
-
Sure. All ports are essentially incoming though. I mean... per your analogy, a guy can come in the front door, or come in the back door or hey... enter through the garage. I think it'd be great to lock the garage door, but I should just check on the guy coming through the front door and ask him where he's going instead? If he says the garage - denied; however, if he said the back yard... pass. If the person is already in the backyard... he can go out the front door (I guess), but if he'd like to go the garage - denied.
A lot of other firewalls, have permit rules with a final 'deny all'. I was just trying to test that my rules were working. I haven't used pfsense in 9 years... it shows since it feels like opposite day.
Appreciate the feedback.
-
There is a deny all - on the incoming.. I have worked on firewalls for 30 years... Before there was firewall, and just packet filters.. None of them are like that... Not one! Cisco, Juniper, Checkpoint, PA..
If you want a outbound rule - you can do it floating...
Pfsense as always been this way... From version 1..
-
I guess I stand corrected. Appreciate the feedback, caps, exclamation points and all.