Firewall rules seem broken, redux

sazv

I'm having a devil of a time with rules. As of about a week ago, no new rules appear to be having any effect. It started with aliases not working, but a rule specifying ips or nets would work, and has devolved into nothing working. Furthermore, adding an easy rule to pass the traffic assigns the rule to the wrong interface.

For testing, I have two local networks, "LAN", 192.168.2.0/24, "Trusted_LAN", 192.168.3.0/24, and "Remote_LAN" (connected via an openvpn tunnel) 192.168.105.0/24.

The tunnel is up and the firewalls can talk across it.
First rule listed for the LAN network is pass ipv4 icmp 192.168.102.110 192.168.105.100.
Last rule listed for the LAN network is block ipv4+ipv6 any any.
OpenVPN network permits icmp from any to any
I have no floating rules.
I am not blocking bogon or rfc1918 networks on any network but WAN.

Attempts to ping from 192.168.102.110 192.168.105.100 result in traffic blocked for
LAN 192.168.2.110 192.168.105.100 ICMP
on LAN interface, i.e. traffic isn't leaving that network and there is an explicit rule to permit it.

Any ideas?

[Edit]The problem appears to evidence itself only on the machine running 2.3.1_5. My machine running 2.3.1_1 does not appear to exhibit these issues.

cmb

Post screenshots. There certainly aren't any difference in rules between any version at all, much less between 2.3.1x versions.

marian78

hi, a have also problem with firewall rules. Have WAN, LAN1, DMZ. In firewall rules for LAN interface i setup rule for reject all from LAN to DMZ. But when i open browser on LAN PC client and type IP for WEBUI for my NAS in DMZ (port 80 http) i can login. but i setup to reject all…

but ping from LAN to NAS in DMZ not working.

pfsense version: 2.3.1-RELEASE-p5 (amd64) built on Thu Jun 16 12:53:15 CDT 2016

lan_to_dmz_rule.JPG_thumb

floating_rules.JPG_thumb

Derelict

The way you have the rules you will not be able to pass any traffic from LAN to DMZ or DMZ to LAN.

If you are not posting all your rules, please do so.

Your rule on DMZ will have no effect because hosts on DMZ will not send traffic destined for DMZ net to the firewall at all. Not sure what you are trying to do there.

You either have some other router on your network or, maybe, you need to clear firewall states before testing your rules (Diagnostics > States, Reset States) Firewall rules only block the creation of new states. Existing states can continue to pass traffic.

My suggestion is to get rid of things like pfBlocker until you have a better grasp on what the firewall rules in pfSense actually do.

marian78

hi, thx for reply. Posted rules are only for testing, because i investigating why i have access to dmz from lan when i block it. I can try reset states as you wrote.

edit: reset states - still have access to DMZ from LAN net
restart BOX - still have access to DMZ from LAN net

LAN net - 192.168.0.0/24, client PC ip 192.168.0.243 gateway 192.168.0.3, LAN adress 192.168.0.3
DMZ net - 192.168.100.0/24, NAS ip 192.168.100.10 gateway 192.168.100.2, DMZ adress 192.168.0.2

And yes, i have second router. But it is only for backup with manual configuration (static IP for client, gateway, dns) on LAN client PC and DMZ NAS (they dont use IPs of backup router)

states.JPG_thumb

marian78

Maybe it's because I use a transparent proxy on LAN interface (127.0.0.1:3128). How to block trafic from LAN any any to DMZ any TCP ports 443 and 80 when is used proxy transparent server.

edit: Bypass Proxy for Private Address Destination must be enabled?

edit2: hm, it was mistake between my chair and keyboard. :) When i set in proxy server "Bypass Proxy for Private Address Destination" to enabled, my test rule is now work. All traffic for private adresses now go directly to firewall and not use proxy on localhost.

W4RH34D

@marian78:

Maybe it's because I use a transparent proxy on LAN interface (127.0.0.1:3128). How to block trafic from LAN any any to DMZ any TCP ports 443 and 80 when is used proxy transparent server.

edit: Bypass Proxy for Private Address Destination must be enabled?

edit2: hm, it was mistake between my chair and keyboard. :) When i set in proxy server "Bypass Proxy for Private Address Destination" to enabled, my test rule is now work. All traffic for private adresses now go directly to firewall and not use proxy on localhost.

If you check that then internal web servers won't be cached, right?

marian78

yes, but now i can change my rules and i know, that it will be work as i set it.