Cannot setup rule block ICMP from LAN to DMZ in PfSense Version 2.3.2



  • Hi everybody.
    I have problem when deploy firewall system
    When I setup rule to block ICMP traffic from LAN to DMZ, or
    Rule is not apply, I am trying to reboot my device, but not effecting
    I don't know what 's wrong happen
    Thank for help me
    Please read my attachment image
    ![8-31-2016 11-49-37 PM.jpg](/public/imported_attachments/1/8-31-2016 11-49-37 PM.jpg)
    ![8-31-2016 11-49-37 PM.jpg_thumb](/public/imported_attachments/1/8-31-2016 11-49-37 PM.jpg_thumb)



  • Firewall rules affect the interface the data enters, so if you want to block stuff coming from LAN, you need to put the rule on LAN, not DMZ.


  • Rebel Alliance Global Moderator

    Why does this seem to be so confusing for users?

    This is common firewall practice where traffic is evaluated as it enters the firewall, not as it leaves the firewall.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics
    Firewall rules on Interface and Group tabs process traffic in the Inbound direction and are processed from the top down, stopping at the first match. Where no user-configured firewall rules match, traffic is denied. Rules on the LAN interface allowing the LAN subnet to any destination come by default. Only what is explicitly allowed via firewall rules will be passed.

    Is this wording ambiguous in nature, is that what is confusing users?  Do we need a picture??

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    It makes no sense to let the packet flow through the firewall/router from the lan, then stop it from leaving onto the dmz.  So as new traffic enters an interface to pfsense that is when the decision is made if it should be allowed or not.  Yes you can get fancy and place outbound rules on interface with floating.  But those really are special use cases and don't come into play that often to be honest.  That is not were you should be placing your common rules.

    Do you put the stop sign before the intersection or after the intersection ;)



  • Why does this seem to be so confusing for users?

    Because everyone's mindset is "Stop things from entering a network" as opposed to "Stop things from leaving a network".  When you think of securing your house, you think about stopping a burglar from coming "inside".  You don't think about it as how to stop him from leaving the "outside".  I had this very same problem when I first started using pfSense, and it wasn't the first firewall I have configured.

    It makes no sense to let the packet flow through the firewall/router from the lan, then stop it from leaving onto the dmz.

    Why not?  It's really just a logical abstraction, isn't it?  You have two rooms and pfSense is the door.  For all intents & purposes, blocking someone from entering room B is no different than preventing him from leaving room A – it just depends on how you look at it.


  • Rebel Alliance Global Moderator

    A firewall/router is not a door..  If you let the packet in you have to process it through to get to the other interface.

    Where you do you put the stop sign before or after the intersection..

    "When you think of securing your house, you think about stopping a burglar from coming "inside"."

    Exactly!!!  Pfsense is your house… Where do you stop the guy from coming in.. At the entrance to the house.. So the interfaces are the doors to your house.. So the front door is to the world at large "wan", the back door "lan" is into your back yard..

    So if someone is in the back yard and you don't want them getting into your house and then out to the real world where is the most logical place to stop them.. Keep him in the back yard and don't even let him in to the house.

    Or do you let him into the house and then lock the front door??  Same from the outside do you stop him from entering your house at the front door or do you let him into the house and then say oh wait I don't want you to go into the back yard "lan"



  • I'm not arguing with you, I'm just telling you my perspective on why people commonly get this confused.  Perhaps my door analogy wasn't the best.  The problem is you understand too much about it so of course everything makes sense.  People naturally think of stop from coming in, so they think they have to block at the interfaces they think it's coming in to.  Totally wrong thinking, but that's what it is.



  • ya i was very confused about this as well but after reading a couple of Johns's posts i finally have a handle on it.  it may seem simple to people that have lots of knowledge but just starting out with Pfsense,  that was one of my biggest challenges.



  • Everything done.
    I was confused with Access Control List of Cisco device.
    Thank you very much @KOM, johnpoz, xman111


  • Galactic Empire

    I did something like this with my DMZ to block traffic to my local subnets.

    I have an alias with my local subnets in and only enable the bottom rule when I want to kick off updates from hosts in the DMZ.

    You need to be more worried with traffic coming in over the internet to the DMZ hosts then going to the LAN.

    Traffic in through the WAN for IPv4 is NAT'd and IPv6 is routed.

    NB the bottom rule destination is a NOT AKA anything thats not in the alias n_ip_local_subnets.



  • Rebel Alliance Global Moderator

    I use a sim alias but just call it rfc1918 and have all the rfc1918 segments in there.  This way if I add more segments don't have to worry about updating the alias.  Since my segments would always be in the rfc1918 space.

    Maybe you want to allow it, but IMHO your rules to allow ntp and dns are pretty open.  Those rules allow you to hit any IP on the firewall, be it another interface in another local segment or your wan, etc.  More restrictive rule would be to only allow access dmz address, and then a block rule to this firewall which would prevent any and all access to any other firewall address.  For example your block to n ip local subnets.  Does this include your wan address of your firewall?  If not you could prob hit the firewall web gui via the wan address from your dmz.

    The ipv6 alias includes the /48 prefix I use from HE and the ipv6 transit, etc.



  • Galactic Empire

    Ta John, I wrongly assumed "This Firewall" was the closest interface rather than any interface.