Firewall question



  • Hello,

    I need to allow the user with a lan ip access to the internet (google). I disabled any to any rule on the LAN interface and wanted to write the rules one by one to give access. But it is not working. I was wondering if anyone could help me I attached a printscreen below, also does invert match make reference to stateful and stateless firewall? and when do I use it?



  • LOL !! I didnt put protocol as TCP/UDP for DNS. Now its working using this forum from the new rules. If anyone wants to add anything please feel free.

    Thanks.  8) 8)



  • Doing blocking on LAN will be an exercise in pain for you if you have more than a couple of users to worry about.  Under normal conditions, most people don't block on LAN because you end up with endless user complaints when they try to do anything.



  • @KOM:

    Doing blocking on LAN will be an exercise in pain for you if you have more than a couple of users to worry about.  Under normal conditions, most people don't block on LAN because you end up with endless user complaints when they try to do anything.

    OK Thanks I will put configurations on the WAN instead, thanks.


  • Rebel Alliance Global Moderator

    ^ huh?  Wan blocks all unsolicited traffic inbound out of the box, what blocks are you going to put in on the wan?



  • IMHO, blocking on LAN side is still usefull.
    You minize potential problems if any machine get infected, prevent use of non desirable services, and can use proxy to restrict user access (i think its easier this way). On PfSense, just create a group and put all machines that should by pass the proxy for any reason.



  • @johnpoz:

    ^ huh?  Wan blocks all unsolicited traffic inbound out of the box, what blocks are you going to put in on the wan?

    ie

    Hello, I am still a newb to security but what I wanted to do was block unwanted visitors on my WAN interface, just make my network safe. But I see that if my LAN has a ANY rule and currently the WAN is open to all what should I do?



  • @CallFromUSA:

    @johnpoz:

    ^ huh?  Wan blocks all unsolicited traffic inbound out of the box, what blocks are you going to put in on the wan?

    ie

    Hello, I am still a newb to security but what I wanted to do was block unwanted visitors on my WAN interface, just make my network safe. But I see that if my LAN has a ANY rule and currently the WAN is open to all what should I do?

    Default rules in pfSense are "default deny inbound on WAN" and "default permit inbound on LAN".  The first on means noone can initiate traffic from the Internet and get into your pfSense box (WAN faces the big bad world), so is already "…blocking unwanted visitors".  The second means anything that originates on your LAN interface (your network, your computers) is allowed into the pfSense box and then out the pfSense WAN (if that's where the traffic is destined).  Rules in pfSense are "inbound", so you have to pretend you are the pfSense CPU, looking out the WAN interface or looking out the LAN interface.  Packets coming at you are "inbound", so the "permit any to any" rule on the LAN interface is not involved with inbound WAN packets.

    pfSense is a Stateful firewall:  this means the packets that come in on your LAN interface and go out the WAN will generate internal state.  This state is used when the reply packets come back in on the WAN interface (you initiate a DNS request from your LAN, that has DNS replies coming back into your WAN);  if an inbound WAN packet matches internal state or any permit rules, it comes in.  Otherwise it is dropped.