Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rule help?

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 995 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Velcro
      last edited by

      I was hoping to get some feedback on my rules, including order, rules needed, redundant rules, any feedback on reducing rules yet maintain isolation? etc…

      I have a number of interfaces and VLANs with similar rule set, I want to keep the interfaces and devices isolated.

      Any thoughts would be appreciated....
      IMG_0044.JPG
      IMG_0044.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        All of your block rules could be put into 1 rule that use an aliases for.  Looks like you already have a rfc1918 alias.  Just use that, I would assume all your other networks you have listed fall into rfc1918.

        Also unless you have downstream networks, your source should be locked to the network for this interface.  IOTvlan, would be the only logical possible source address unless there is downstream networks?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • V
          Velcro
          last edited by

          Thanks Johnpoz…

          "All of your block rules could be put into 1 rule that use an aliases for.  Looks like you already have a rfc1918 alias.  Just use that, I would assume all your other networks you have listed fall into rfc1918."

          1 - My top 6 rules are intended to block any communication with the other interface, I have similar rules on each interface. Would I need to create an alias for each interface? For example the alias to use in the iotvlan would consist of all nets except the iotvlan net?

          "Also unless you have downstream networks, your source should be locked to the network for this interface.  IOTvlan, would be the only logical possible source address unless there is downstream networks?"

          2 - just so I am clear(I updated my image with numbers so you know what rules I am referring to), rules 1-6 should have a source of "IOTVLAN NET"?

          3 - Do I need rule 10?

          IMG_0159.PNG
          IMG_0159.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            1)  Why would could it not just be all of them.. Just put it below where you allow 53.. to your interface

            1. unless you have downstream networks, your source should always just be the network of that interface.  Doesn't really matter in the big picture.  But unless you have downstream network it should be impossible for other than iotvlan netework to be the source of traffic coming into your iotvlan interface.

            2. Not unless you turned off default rule logging?  And you want traffic into this interface logged.  I default logging off, and create rules to log where I want to see blocked traffic.  For example on my wan I only block tcp syn and log it.  The default rule blocks everything else but have no desire to see that noise, UDP, out of state traffic, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • V
              Velcro
              last edited by

              1. I just made the change to my rule set…see attached, I made some note on the attachment so I am clear. From what I gather about the logic of this rule set is: a request for dns is made via port 53(rule 1), rule #2 blocks access to firewall, rule 3 blocks all access to other interfaces, rule 4 allows internet access, rule 5 blocks everything else?

              Thanks again...I am trying to make sure my rules are secure but also follow the rule logic.

              1. Not sure what a downstream network is but I think so...don't think I have one. The interfaces are connected to devices/clients only.

              2. I need to look into the logging more...definitely want to reduce the noise.

              Thanks again...

              IMG_0045.JPG
              IMG_0045.JPG_thumb

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                A downstream network would be if you had a L3 switch or router downstream of pfsense on a transit network.  Most likely no you do not have one ;)

                Your rules look fine.  Your firewall rule and blocking of rfc1918 could also be joined.  But the firewall blocks all IPs on firewall, even the wan.. So this prevents someone from this network from access say your pfsense web gui via the wan IP on the inside.  If your pfsense wan was rfc1918 you could just get by with your rfc1918 alias block.

                Again your last rule isn't really need there is a default deny on every interface - but it if helps you understand the flow of the rules, nothing wrong with it.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • V
                  Velcro
                  last edited by

                  Thanks Johnpoz again for your help…

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.