Rule ordering for friendly IPs



  • Greetings -

    I am running pfSense version 2.3.2-p1 with pfBlocker and Snort configured, so let me know if I should redirect this question to the pfBlocker or Snort subforum list.

    Issue:
    As I  am tweaking my firewall rules for working with pfBlocker and Snort I have set up two aliases for the purpose of allowing two different types of friendly IPs through to my LAN boxes.  One alias is for allowing access from the LAN to our external web/mail server and a separate backup server.  A second alias it to allow our antivirus software to obtain updates.  As I setup pfBlocker and Snort I created an allow rule for these aliases and put it at the top of the floating rule list.  This initially worked but then stopped, and I noticed that the order of the floating rules had been reordered and the alias rules were moved to the bottom.  So after a little research on this list it appears that I am running up against the feature in pfBlocker that defines the floating rules order such that pfBlocker deny/reject rules come first.

    So my question becomes, what is the proper method or rule ordering for me to allow these friendly IPs.  Right now I have the default setting in pfBlocker that uses pfBlocker Block/Reject rules first, then all other rules following.  There is an option to set the order to pfSense pass/match, then pfBlocker pass/match, then pfBlocker block/reject, then pfSense block/reject.  But I am not sure if changing this setting is appropriate for my situation.  Might it be better for me to move my two aliases from the floating rule set and put them in the LAN set.  But since floating rules are processed first, would my friendly IPs still be blocked?  My immediate problem is that Snort is blocking my LAN server from backing up to an external server, and I don't want to create a Snort Policy exception for this type of traffic, but only want to allow the traffic to the specific IP of my external backup server.

    Any guidance would be appreciated.  Thanks.

    Jeff


Log in to reply