I dont get it
-
Hi all.
Im really confused about inverse rule I guess...See attached image.
Screenshot is from LAN172 tab.I am able to connect to file share in LAN10 network from LAN172 network (port 445 TCP).
Why? -
What rules do you have below that? The any any rule?
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
If you don't want lan172 to go to lan10, its better to put a specific block to that vs using inverse. This is a known issue where vips can mess up inverse rules..
Its best to always use explicit blocks.
Its also possible you have an existing state that is allowing the traffic.. Since states are evaluated before rules.
-
No rules below that.
I do have one Ipv6 VIP but not used here.So this is bug then,
It should be documented somwhere as this makes whole setup insecure... -
Its not a bug persay... But if you create a vip it can cause issues with how inverse rules are evaluated.
If you do not have IPv4 vip anywhere? Are you using pfblocker, it can create a 10.10.10.10 vip that could mess with I guess your lan 10, which I guess is a 10.x.x.x address.
Also you need to make sure there are no existing states.. You can directly look at the full set of rules to see if the vip could be causing you issues.
https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html
-
Here is old thread about it for example
https://forum.netgate.com/topic/128202/invert-match-doesn-t-work?_=1607728204262here is redmine about it
https://redmine.pfsense.org/issues/6799 -
No IPv4 alias...
Guess I will have to create specific firewall rules to block it...
Crap
-
If you have no vips.. Not alias - not the same at all. You sure you don't have pfblocker creating a vip for you?
You have no rules in floating? And you cleared your states? And you sure traffic is flowing through pfsense?
Again you can look at the full rules..
I use to use inverse all the time.. But with discussion, mostly with derelict he has drawn me over to the side that explicit is always better. And it is easier to look at and see exactly what is allowed and blocked. But if you have no vips, and no floating, and no states then that rule should work and not allow access to something in vlan 10 net..
-
No floating
Reset states
Few minutes later there us state on pfsense so yeah traffic goes trough pfsense.
I have no pfblocker. -
I created block rules and now it works as it should...
-
Well then we should investigate, because there is something going on that shouldn't be..
Lets call in @Derelict and will prob want to see your full rule list via the link I provided above to figure out what is going on..
-
Im on latest beta snapshot if that matters...
-
Oh your on 2.5 -- yeah you should bring this up in that section for sure... There could be something buggy that needs to be reported.
I would start a new thread there, and you could reference this one, etc.
https://forum.netgate.com/category/78/2-5-development-snapshotsBut would be helpful to everyone if you investigate it further.
-
Sounds like https://redmine.pfsense.org/issues/6799
Don't use pass rules to "block" traffic. Block it if you want it blocked.
Look at the generated rule set in /tmp/rules.debug. That will explain why anything is being passed.
It is pretty much a certainty that if there is no rule in that file that passes the traffic, it will be blocked.
-
@derelict Yeah I already linked too redmine, and told him the same thing ;)
But he is saying he has no vip, etc..
So yeah would like to see his full rule set to see why this is happening. Also he is using 2.5 - so its possible there is something going on when there shouldn't be.. Really need to see the full rule list to know what is going on.
