Firewall doesn't seem to be working correctly



  • Hi All

    I'm new to pfsense - looks great so far, just having a few firewalling issues…I've set up a rule in float, which I hear is the first rule processed. Basically this rule doesn't seem to be working effectively.
    I've cleared states, to make sure that the rule should "fire" but still nothing happening...Please see pics below:
    http://imgur.com/a/HC5XX

    Interface is activated for LAN…
    After killing the states that come up, I go in again - and they are appearing again...
    http://imgur.com/a/hnoDZ

    So the question is, why isn't the rule being applied?

    Nothing was showing up when looking at the gui logs….

    What could be happening?

    Thanks


  • Rebel Alliance Global Moderator

    So your running proxy.. Those states show connections to proxy running on pfsense.  Most likely transparent mode.

    What exactly are you trying to accomplish?  Block that 192.168.1.97 box - then do that on the lan, not in floating.  Floating is for more advanced stuff - most users have zero use for putting rules in floating.  Did you set the rule for quick?  Did you set it for inbound or outbound of the interface, etc..

    If you want to block that host from using the internet.  Then put in a block rule on lan at the top to not let it talk.. Or don't let it use the proxy.. You really should that using proxy when attempting to firewall stuff - it changes the game.



  • Hi, thanks for the response.
    I actually had put the rule in the LAN section too - see img:
    http://imgur.com/a/FfTVk

    It wasn't working, so hence the float too.
    To answer your question, yes I've set up squid as a transparent proxy….as you say, this could be causing the issues too...

    What would your suggestion be then on how to set this up. Want to have transparent proxy and firewall running.

    Thanks for the feedback


  • Rebel Alliance Global Moderator

    Yeah that is not going to work if using proxy in transparent mode..  Change it to non transparent or explicit mode, ie clients point to the port.  Then block the client from talking to that port or like you have it from going anywhere.

    Or set the proxy itself not to allow that IP, and then your rule on the lan would keep it from going direct.

    If you don't mind what exactly are you trying to accomplish with the proxy?  Do you have devices you want to filter form categories?  Like kids accessing porn or something.  In a home the use of the proxy doesn't really make a lot of sense to be honest.. Unless your trying to block based on categories or urls and or log where they go.  I have not used a proxy in my home setup since my boys where young teenagers ;)



  • Perfect - thanks for that…..
    I'll want a transparent proxy, might change that in the future. All I want to do at the moment, is see what the guys on the network are doing. Once I know the slackers, I might change the proxy to explicit. Maybe I should fire up another vm - put pfsense on that with firewall, and a seperate instance for the proxy.....is this the way you'd recommend to go?


  • Rebel Alliance Global Moderator

    Not sure how running proxy on a different box would change anything if still doing transparent.. To pfsense all the traffic would be coming from the proxy.

    If you don't want someone to not use your transparent proxy - then block them in the proxy.  And also block them on pfsense firewall rules so they can not go direct..



  • Thanks so much for your input.
    I have done so now - and am getting the results that I want.

    Thanks once again