Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFsense Rule order

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Abhishek
      last edited by

      pass * * * LAN adadress 443/80/22 ANTI LOCKOUT RULE
      block TCPV !ManagmentDevices * facebook *
      block icpv4tcp/udp !LANNOPROXY * * 443
      block icpv4tcp/udp !LANNOPROXY * * 80

      pass tcpv4+6* * * * * LIMITER TO equally share bandwidth & Max Spd 9Mbps
      pass tcpv4+6* * * * * LIMITER TO equally share bandwidth & Max Spd 1Mbps
      block tcpv4+6 tcp/udp * * WANBLOCK * WAN IP BLOCKED

      pass two default allow lan to any rule
      pass ipv6 default allow lan ipv6 to any rule

      when there is a limiter  Rule Pass rule and squid proxy block 80/443 rule , in which order to setup

      2.3-RC (amd64)
      built on Mon Apr 04 17:09:32 CDT 2016
      FreeBSD 10.3-RELEASE
      Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz

      darkstat 3.1.2_1
      Lightsquid 3.0.3_1
      mailreport 3.0_1
      pfBlockerNG 2.0.9_1  
      RRD_Summary 1.3.1_2
      snort 3.2.9.1_9  
      squid 0.4.16_1  
      squidGuard 1.14_1
      syslog-ng 1.1.2_2

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Rules are evaluated top down, first rule to trigger wins.

        Might be easier if actual screenshot vs some ascii art, what exactly is  icpv4tcp/udp

        As to your block ! (not) that would pretty much block anything not going to what is that alias, guessing that is your proxy..  So if traffic not going there then rules stop evaluating..  And would never see any of the other rules.

        Lets say they are going to that, so those rules don't trigger.  Then looks like everything would hit that first limiter rule.  When would it ever see the 2nd limiter rule?

        Remember top down, first rule to fire wins - rest of the rules after that are meaningless.  The only time you get to the bottom is if none of the rules fire.  If no rules fire, then you hit the default block.

        But the default any any would let everything not blocked above that through.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • A
          Abhishek
          last edited by 

          As to your block ! (not) that would pretty much block anything not going to what is that alias, guessing that is your proxy..  So if traffic not going there then rules stop evaluating..  And would never see any of the other rules.

          Yes i want to block all traffic not going through proxy ,

          Lets say they are going to that, so those rules don't trigger.  Then looks like everything would hit that first limiter rule.  When would it ever see the 2nd limiter rule?

          Currently not using
          Previously it was like source IP in range  192.168.1-10-150  = First limiter  .
          Source IP in range  192.168.1.151-192.168.1.200 =Second Limiter for Mobile devices

          thank you so i am guessing everything is okay as i expected

          fwrULES.PNG
          fwrULES.PNG_thumb

          2.3-RC (amd64)
          built on Mon Apr 04 17:09:32 CDT 2016
          FreeBSD 10.3-RELEASE
          Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz

          darkstat 3.1.2_1
          Lightsquid 3.0.3_1
          mailreport 3.0_1
          pfBlockerNG 2.0.9_1  
          RRD_Summary 1.3.1_2
          snort 3.2.9.1_9  
          squid 0.4.16_1  
          squidGuard 1.14_1
          syslog-ng 1.1.2_2

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.