Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DMZ

    General pfSense Questions
    5
    25
    2327
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Atreides last edited by

      I'm a bit confused about DMZ firewall rules. In regards to the order of rules do I want the rule that blocks traffic to be at the bottom or top of the rule set? Do I need a rule that blocks traffic at all? Or is all traffic implicitly blocked unless I let it through?

      1 Reply Last reply Reply Quote 0
      • M
        mguebert last edited by

        Rules are matched from the top down, the first rule that matches wins, the rest don't get evaluated.

        1 Reply Last reply Reply Quote 0
        • KOM
          KOM last edited by

          Each interface has a hidden Default Deny rule that you can envision as being at the very bottom of the list.  If no rules above it apply then the traffic is blocked.

          1 Reply Last reply Reply Quote 0
          • A
            Atreides last edited by

            In that case, I was trying to set up a DMZ following instructions from here. Would this be working correctly as a DMZ? I want to be able to access the internet from the DMZ but have no access into any of my subnets. Do I need to change anything? I attached my rules below.

            wrath and lilan are hosts where wrath needs to access an NFS share on lilan. RFC1918 is 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8.


            1 Reply Last reply Reply Quote 0
            • KOM
              KOM last edited by

              Considering how firewall rules are processed top-down first-match, your last rule will never hit since rule #4 allows all access to anywhere (including LAN).  Here is how I do it.  My DMZ servers need to talk to our LAN-based Zabbix server, and they need to get DNS from LAN, too.


              1 Reply Last reply Reply Quote 0
              • A
                Atreides last edited by

                Oh I see, I have been thinking about it backwards? When people say the rules are top down I thought that would mean that the last thing to be read would be the bottom, in my case blocking RFC1918. Instead I should be thinking about it based on priority? So the rules higher up are the rules that will be respected?

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned last edited by

                  First match wins (except for floating rules).

                  1 Reply Last reply Reply Quote 0
                  • A
                    Atreides last edited by

                    So, this better?


                    1 Reply Last reply Reply Quote 0
                    • KOM
                      KOM last edited by

                      I suspect not, if your pfSense DMZ interface is part of RFC1918.  Why not get rid of your last two rules and then just copy my last rule?

                      1 Reply Last reply Reply Quote 0
                      • A
                        Atreides last edited by

                        Well, I have many subnets… I guess I could block them all, but wont that be the same as I currently have?

                        1 Reply Last reply Reply Quote 0
                        • A
                          Atreides last edited by

                          Here's what i ended up with:


                          1 Reply Last reply Reply Quote 0
                          • KOM
                            KOM last edited by

                            Still no good.  Your 4th rule allows all access to anywhere.  Delete it entirely.

                            1 Reply Last reply Reply Quote 0
                            • jahonix
                              jahonix last edited by

                              You have lots of "allow BUT" rules, the ones with "!". Doesn't make sense.
                              Either make them block that range OR make them allow it but NOT "allow all but…"

                              1 Reply Last reply Reply Quote 0
                              • jahonix
                                jahonix last edited by

                                @KOM:

                                … just copy my last rule?

                                Problem is that it works but is harder to follow than need be.
                                Blocking something with an allow rule seems … strange.

                                Better use one rule first to explicitly block * to LAN
                                Add another rule to allow * to world.

                                1 Reply Last reply Reply Quote 0
                                • A
                                  Atreides last edited by

                                  @jahonix:

                                  @KOM:

                                  … just copy my last rule?

                                  Problem is that it works but is harder to follow than need be.
                                  Blocking something with an allow rule seems … strange.

                                  Better use one rule first to explicitly block * to LAN
                                  Add another rule to allow * to world.

                                  Yea, this is what I wanted to do originally.

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    Atreides last edited by

                                    @Atreides:

                                    So, this better?

                                    Doesn't my earlier post above accomplish that?

                                    1 Reply Last reply Reply Quote 0
                                    • jahonix
                                      jahonix last edited by

                                      It does.
                                      Don't know what problems KOM had with it, I'd do it that way.

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        Atreides last edited by

                                        @jahonix:

                                        It does.
                                        Don't know what problems KOM had with it, I'd do it that way.

                                        Great! That is why I was confused. I'll try that.

                                        Thanks everyone.

                                        1 Reply Last reply Reply Quote 0
                                        • KOM
                                          KOM last edited by

                                          Your first ruleset allowed access everywhere before the LAN block.  Your second ruleset has you blocking all private IP space and not just LAN.  Your 3rd ruleset allowed everything before the blocks.

                                          Second ruleset would do the job but the block is overly broad, and this can potentially impact you down the road if you add any interfaces or VLANs.

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            Atreides last edited by

                                            @KOM:

                                            Your first ruleset allowed access everywhere before the LAN block.  Your second ruleset has you blocking all private IP space and not just LAN.  Your 3rd ruleset allowed everything before the blocks.

                                            Second ruleset would do the job but the block is overly broad, and this can potentially impact you down the road if you add any interfaces or VLANs.

                                            How so? The DMZ shouldn't have access to any other VLANS/interfaces.

                                            1 Reply Last reply Reply Quote 0
                                            • KOM
                                              KOM last edited by

                                              How so? The DMZ shouldn't have access to any other VLANS/interfaces.

                                              Sure, until you add one for some reason and then need access from DMZ to LAN (for custom DNS, for example) and can't figure out why things aren't working.  If you only have the LAN and DMZ then you could just as easily used LAN net instead of your RFC1918 alias.

                                              1 Reply Last reply Reply Quote 0
                                              • jahonix
                                                jahonix last edited by

                                                @KOM:

                                                …If you only have the LAN and DMZ ...

                                                @Atreides:

                                                Well, I have many subnets…

                                                He doesn't and he told us.
                                                No need to complicate things with what could happen in the future. KISS.

                                                1 Reply Last reply Reply Quote 0
                                                • KOM
                                                  KOM last edited by

                                                  No need to complicate things with what could happen in the future. KISS.

                                                  Precisely, which is why when you want to block access specifically to LAN, you block access to that LAN's subnet and not all of RFC1918 space.  Right now, he's got 5 subnets with a total of ~1200 addresses being handled by a blockrule that targets ~18 million addresses.  While I also hang my hat on KISS, I fail to see how using an RFC alias with 18 million addresses is easier than just using LAN net or ! local net.

                                                  1 Reply Last reply Reply Quote 0
                                                  • A
                                                    Atreides last edited by

                                                    This way, I have one rule that will cover anything I make in the future. If I were to specifically cover each subnet that would mean every time I add a VLAN or subnet I have to worry about forgetting to block it. I would much rather play it safe with a single rule and selectively whitelist anything I want through the firewall. How is it complicated?

                                                    If I have a VLAN that I want to be able to access something in the DMZ, I just make to single rule for that IP or network, which is what i've currently done. It's much safer to whitelist everything I want to let through then blacklist everything I want blocked anyway.

                                                    Yes, either way would work but I think I prefer this way. Thanks for the help.

                                                    1 Reply Last reply Reply Quote 0
                                                    • KOM
                                                      KOM last edited by

                                                      How is it complicated?

                                                      It just depends on your point of view and how you work, that's all.  Both methods will work.  For me, I would never forget to secure a newly-added subnet, but I might easily forget that I blocked all of private IP space in a blockrule made potentially months or years ago.

                                                      I'm glad you have it working the way you want.

                                                      1 Reply Last reply Reply Quote 0
                                                      • First post
                                                        Last post