Floating rule allowing outgoing wan trafic block incoming



  • Hi,

    I have a behavior with pfSense that i try to understand, if someone can help me…

    My current setup : WAN / LAN / DMZ routing, without NAT (public IPs assigned to WAN, LAN and DMZ)

    The working configuration :

    DMZ PASS source:any destination:any
    

    Easy, the DMZ computers have access to internet, great.

    Now, i add the following rule :

    FLOATING PASS interface:WAN direction:out source:any destination:any
    

    Thus, i only add a rule not supposed to block anything, it's a PASS rule, but when i enable this rule, the DMZ computer does not have internet access anymore…

    I've done a packet capture, i see the packets coming from the DMZ interface, outgoing to the WAN interface, i see the answer coming from the WAN interface, but the answer does not reach to the DMZ interface...  thus, when i add a rule to pass outgoing packets, this rule block incoming packets...

    Did someone have any tips for me explaining this behavior ?

    Before someone ask me why i would like to add this rule : i would like to give full internet access to LAN and DMZ, but i do not like the rule DMZ PASS source:any destination:any because this rule give also full access from DMZ to LAN, and the rule LAN PASS source:any destination:any will also give full access to DMZ.  I would like to set rules based on the outgoing interface, not on the incoming interface... something like that :

    FROM * TO LAN : Block *
    FROM * TO DMZ : Pass port 80
    FROM * TO WAN : Pass *

    Thanks in advance for any tips you could give me :)


  • LAYER 8 Global Moderator

    "but i do not like the rule DMZ PASS source:any destination:any because this rule give also full access from DMZ to LAN"

    Then don't - put a rule above the any and they blocks dmz access to lan before the any any rule.  Easy Peasy Lemon Squezzy

    Rules are evaluated top down, first rule to trigger wins no other rules are evaluated as traffic enters an interface.

    So if top rule or atleast the rule above the any any rule says dest lan Block/Reject than any traffic trying to go to Lan network would be blocked.
    If not going to lan that rule would be skipped because it doesn't match - the dest is something other than lan net.



  • Yes, i know, but think of it : on my production firewall, i have 10 interfaces : 1 Wan & 9 differents Lan/DMZ , everytime i configure a new server in one of those DMZ, i configure the firewall to allow only the relevant ports…  with your solution, i must configure the same rule on each interface, meaning 10 configurations...  with each time the risk to make a fault and create a security hole...

    It should be the purpose of the floating tab : be able to create outgoing rules...

    But, with my example, when i create a rule to allow outgoing trafic, the result is that the rule block incoming trafic...  and i try to understand why a rule supposed to allow trafic block it...

    Currently, to bypass this behavior, i've created a floating rule to block incoming trafic on all interface with destination of my network (any IP of all my interfaces networks) followed by a rule to allow both in/out on all my interfaces, and every floating rules configured as "quick" rules...  it's working, but i would like to understand why configuring only "outgoing" rule to allow does not work...


  • LAYER 8 Global Moderator

    "But, with my example, when i create a rule to allow outgoing trafic, the result is that the rule block incoming trafic…  and i try to understand why a rule supposed to allow trafic block it..."

    Without seeing your rules there is no way to help you.  Post screenshots of your rules and we can discuss them and how best to do what you want.



  • The rule is really simple…

    As explained, the rule only define a PASS to everything outgoing on the WAN interface.

    If i disable this rule, i have internet access, if i enable this rule, the internet access does not work anymore (outgoing packets work, but incoming answers coming from the wan not).


  • LAYER 8 Global Moderator

    dude show me all the rules on the interfaces..  That sort of rule is completely pointless!

    Since your traffic enters pfsense from your lan rules, so it would already have to be allowed.  You could use that rule to say block some specific sort of traffic that was allowed on the lan side interface already with say an any any, and then you wanted to stop say port 25 or something.

    How does that stop you from access your lan from your dmz??


  • LAYER 8 Netgate

    It is not only pointless it can change behavior common on a WAN interface like defeating route-to, etc.

    Traffic is passed on pfSense going into an interface.

    That rule will do nothing to pass traffic if it is not already passed by the rules on the interface initially receiving the connection.

    Maintaining a firewall with a good number of inside interfaces can amount to a bit of work. At least initially.


  • LAYER 8 Global Moderator

    "i have 10 interfaces"

    How do you have these 10 interfaces setup?  From your screen shot looks like you have no more than those 4 interfaces since not seeing any sort of slide bar on your interfaces box..



Log in to reply