Floating rule with negation not applied



  • I'm using a floating rule quick to block TOR use from LAN. The TOR alias is generated by pfblockerNG.
    A small group of host is whitelisted using ad alias negated on the deny rule.

    Host 192.168.1.8 is in the whitelist alias, but the firewall log report blocked connections to TOR nodes.

    Now I will try to split the rule:

    • allow whitelisted
    • deny all




      ![Screenshot - 04282017 - 09:36:38 AM.png](/public/imported_attachments/1/Screenshot - 04282017 - 09:36:38 AM.png)
      ![Screenshot - 04282017 - 09:36:38 AM.png_thumb](/public/imported_attachments/1/Screenshot - 04282017 - 09:36:38 AM.png_thumb)



  • This is an allow rule! It allows access to TOR from any host except the whitlisted.  ???
    You may alter it to a block rule?



  • In the first image there's a block rule and I don't understand why 192.168.1.8, negated origin, is blocked as well.

    The rule is applied to LAN and GUEST interfaces, direction both. 192.168.1.8 is on LAN network.

    The rule is effective, since a TOR client in LAN is unable to establish a working circuit.



  • maybe its blocked because of the syn tcp flag
    maybe this thread helps https://forum.pfsense.org/index.php?topic=17182.0



  • It's an outbound rule, so no NAT is involved (only outbound nat)


  • LAYER 8 Global Moderator

    Outbound rule on what interface?  Your lan_if?

    What rules are on your lan_if?

    Why are you trying to do this on floating tab.. Do you have multiple interfaces your trying to apply this too?



  • Yes, the rule is applied to both LAN and GUEST interfaces.

    Now I tried splitting the rule:

    ALLOW quick on LAN SOURCE: 192.168.1.8 DESTINATION: TOR_ALIAS, Logged
    DENY quick on LAN & GUEST DESTINATION: TOR_ALIAS, Logged

    From the logs everything works like expected.

    In my lan_IF I have rules for the firewall itself, rules to permit other subnets, deny external smtp and dns, policy routing to VPN and policy routing to load balancer both ipv4 and ipv6.

    Since I have several WAN and LAN, I keep all pfBlocker rules on the floating tab.


Log in to reply