Potential Firewall Problem



  • Hello all, hope you are well!

    Been having some problems with my firewall, its seems to block all if i put ANY rule other than the source port interface / gateway ip to destination *.

    If I make the destination address anything, from another network to wan link, the firewall will not let anything through.

    From a security standpoint, should i not be pointing from one network to another, as the * could mean any network?

    Is this behaviour normal, and if no can anyone help me to resolve this?

    Thanks in advance.

    Kr0n1c



  • A screenshot of your rules would help. Your floating, WAN, and LAN. Most people having issues describe the issue one way, but they miss something or misinterpret what they're actually doing.



  • @Harvy66:

    A screenshot of your rules would help. Your floating, WAN, and LAN. Most people having issues describe the issue one way, but they miss something or misinterpret what they're actually doing.

    Hello, sorry about the late response, i had some work i needed to finish.
    Ok, screenshots attached.

    To follow on from my original question.

    Does any one know if the * mean any?

    so does destination *  mean any destination?



  • yes * = any



  • @n3by:

    yes * = any

    Thanks for confirming, but this does not answer my original question.

    Why does the pfsense firewall block all unless * is configured as destination?

    I have tried pointing the interface to the WAN as destination only, so to avoid access to other networks on other lans. Is there something wrong with my firewall? Is this normal?



  • This is normal setup, because last rule win and if no rules are defined then is normal that traffic stop there.

    If you do not want to allow traffic betwen internal LANs and you want to allow traffic only to Internet then you can define an alias with all your LANs net and add a rule "allow any destination except your internal LANs".




  • That's how I do my guest Wifi, except instead of specifying internal LANs I have an alias for all RFC1918.

    Same concept though!



  • Bear in mind that the rules on an interface are for INCOMING traffic on that interface. And everything that is not explicitly allowed is blocked by default



  • @n3by:

    This is normal setup, because last rule win and if no rules are defined then is normal that traffic stop there.

    pf at it's core works this way, but I believe that user added rules in pfSense have a "quick" keyword added, so they work more like first match wins.  ssh/console to your pfSense device and pfctl -sr, look at the userrules table.  That's why the default deny is at the end and your rules need to go above it.

    At least that's the way it works on 2.2.6.  If I'm wrong someone will be along to tell me so.



  • yes, first rule win ( at firewall rules order ), I expressed myself wrong in English, sorry.


  • LAYER 8 Global Moderator

    why in the world would you be blocking bogon on an internal network interface?


Log in to reply