This Firewall (self) - What does it do?



  • Hello  :)

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)

    That is the same as LAN-address, or VLANx-address? (So, 192.168.1.1?)

    Now I could imagine it to be meant to be sort of flexible, to be used in interface groups, yet, wouldn't it then be more comfortable to be added in an alias (which I don't know how to do)?

    Because now I have a FW rule on each interface, in an alias, for 192.168.x.1 + 127.0.0.1. I can not add 'This Firewall (self)' + 127.0.0.1" to an alias.

    Is it meant to flexible like I mentioned?

    If so, perhaps an idea to add that to the documentation?


  • Rebel Alliance Developer Netgate

    "This Firewall (self)" does what it says – It's every address on the firewall already. It's a pf macro that refers to the firewall host and any address it has, collectively.

    You might want to stop the users on LAN from reaching the GUI, for example, but you'd not only have to block them from reaching LAN but also the WAN IP address, and other local interfaces like DMZ Address.

    It can't be used in aliases because it's a pf macro, but there isn't really any need to, it will include anything you'd want to use to refer to the firewall anyhow.



  • Thank you Jim  ;D

    As you know, I'm not the light in the room when it comes to these matters, so I still don't grasp it because of my lack of knowledge of certain concepts.

    I thought the only firewall address is 192.168.1.1.

    You now say it is also WAN, and DMZ. Are there more? Like for example 127.0.0.1? And 192.168.1.255? Broadcast not, I assume? Anything else?

    Thank you again ;D


  • Rebel Alliance Developer Netgate

    Any IP address on any interface of the firewall (WAN, LAN, DMZs, Localhost, VPN interfaces…)



  • @Mr.:

    Thank you Jim  ;D

    As you know, I'm not the light in the room when it comes to these matters, so I still don't grasp it because of my lack of knowledge of certain concepts.

    Are there more? Like for example 127.0.0.1? And 192.168.1.255? Anything else?

    @jimp:

    Any IP address on any interface of the firewall (WAN, LAN, DMZs, Localhost, VPN interfaces…)

    I was sort of more looking for an all inclusive listing.

    I bought gold hoping that the pfSense book included this sort of information, but it didn't. He who decides to write a networking book that actually includes this sort of information, so that noobs in this matter (I hold 2 PhD's in economics) can finally understand this stuff, may easily become filthy rich. Fil-thy rich.

    I often ask myself why such books fail to exist in this particular field  ;D


  • Rebel Alliance Developer Netgate

    I think you're overthinking it. It's literally any address assigned anywhere on the firewall on any interface, IP Alias or CARP VIPs, etc. That's why it means "This Firewall" – It can be used on any interface for blocking traffic from or allowing to the firewall itself. Trying to give an exhaustive list would be nearly impossible. If it's an IP address on the firewall itself, it's included in the macro.

    Basically if it shows up in "ifconfig -a", it's in the macro.


  • LAYER 8 Global Moderator

    You need something to explain what "this firewall (self)" means??

    Did you click the little help button on the top right of any firewall rule screen?  That's what the ? means..

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics
    This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)

    You think they should have a chapter in the book on it?  Really?



  • @jimp:

    I think you're overthinking it. It's literally any address assigned anywhere on the firewall

    You are right Jim, I am probably overthinking it  ;D

    The concept of a firewall having ~ addresses is new to non-technical people like me, and, I asked around in other technical fora, even new to some technical people ( ;D ).

    I'll leave it be as one of those things I will never understand.

    I know I can make you all cry for your mother too with some elementary econometrics  8)

    ( ;D ;D ;D )



  • @johnpoz:

    You need something to explain what "this firewall (self)" means??

    Did you click the little help button on the top right of any firewall rule screen?  That's what the ? means..

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics
    This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)

    You think they should have a chapter in the book on it?  Really?


  • LAYER 8 Global Moderator

    "The concept of a firewall having ~ addresses is new to non-technical people like me, and, I asked around in other technical fora, even new to some technical people"

    Sorry but NO..  Not sure what "technical fora" you hang around but clearly they have zero to do with networking at all..  Be it a firewall or a router - if they can not comprehend such a simple thing as a device having more than 1 address.

    As to you making us cry with economics – more like put us to sleep with boredom more like it.. ;)



  • @Mr.:

    @jimp:

    I think you're overthinking it. It's literally any address assigned anywhere on the firewall

    You are right Jim, I am probably overthinking it  ;D

    The concept of a firewall having ~ addresses is new to non-technical people like me, and, I asked around in other technical fora, even new to some technical people ( ;D ).

    I'll leave it be as one of those things I will never understand.

    I know I can make you all cry for your mother too with some elementary econometrics  8)

    ( ;D ;D ;D )

    I love learning theory. Bring it on!

    Different strokes for different folks. What one person finds mind boggling difficult, another person find intuitively easy.  The real crux of the problem is the target demographic. Most tech info is written by and for people who have experience or education on the topic so they can leave out the boring info.

    You can't take anything personally, it's frustrating for both parties, but we should all appreciate someone's attempt to learn something new.



  • @Harvy66:

    Most tech info is written by and for people who have experience or education on the topic so they can leave out the boring info.

    You can't take anything personally, it's frustrating for both parties, but we should all appreciate someone's attempt to learn something new.

    +10 for you.



  • @johnpoz:

    more than 1 address.

    You failed to even begin to understand the beginning.

    As to you making us cry with economics – more like put us to sleep with boredom more like it.. ;)

    Too difficult for you, perhaps?

    Most people failed introductory classes, which really, really, really, aren't that difficult.

    And we at least have decent books, scientific research, and nobel prize winners, which is 'slightly' more than the IT sector has  ;D

    Sorry, I'm getting so tired of all this useless aggressiveness.

    Which, surprisingly, mostly appears to be a thing of  IT fora and some 'alternative' fora.

    And to be honest: the typical IT 'I know best/you are stupid/I have a slightly bigger one than you/I googled this wiki page so I know more than you/…/' has never been the culture on any of the BSD boards. It used to be windows/linux/apple thing only. BSD has always been about being constructive. And so it still isn't a FreeBSD/NetBSD/OpenBSD-thing. However, on pfSense it turns out to be a thing.

    Sorry, but I'm getting so tired of all this useless aggressiveness.

    So, for all people with agressiveness problems, borderline problems, or any other problems, think about it like this: why don't you go hug something that makes you feel good?

    I unsubscribed from this thread:

    1. I don't understand the infinite number of firewall addresses Jimp explained and will accept that as a fact of life (thank you again Jim);
    2. I don't need John's negative energy and will leave that negative energy in John's own body.


  • LAYER 8 Global Moderator

    "but we should all appreciate someone's attempt to learn something new."

    I do, I really do but come on!!  How do you expect to route without more than 1 address between networks?  What is hard to understand about this statement?
    "This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)"

    You get back this..
    "I'll leave it be as one of those things I will never understand."

    You can not understand that the interface you create in your vlan will have an IP in that vlan?  Come on this guy is a TROLL - look at his threads.. They are like this!

    I am tired of drivel like this.. Can read this sort of nonsense on the pfsense facebook or reddit.. At least here it is normally sane..



  • @johnpoz:

    "but we should all appreciate someone's attempt to learn something new."

    I do, I really do but come on!!  How do you expect to route without more than 1 address between networks?  What is hard to understand about this statement?
    "This Firewall (self) - Any IP address assigned to any interface on this firewall (pfSense 2.2+)"

    They may not have noticed that statement. I also cannot say what is or is not difficult about that statement since I have a biased based on past experience and knowledge. This is why I said it can be frustrating to both parties. You are perfectly within your right to be annoyed. I'm just saying that some of the demographic of pfSense may be outside of professional or enthusiast circles and may include people who are just inquisitive but almost non-existent technical experience or talent.

    I myself am twice exceptional. I have several learning disabilities and make up for my weaknesses with extreme strengths with my remaining metal facilities. Some things that are "obvious" to normal people is extremely difficult or nearly impossible for me and some things that are incredibly hard for specialists with decades of experience are intuitively trivial for me even with no prior experience or knowledge.

    I try not to judge, but I do understand being frustrated having to point out something that seems stupidly apparent to the point you feel you cannot simplify the statement any more.

    My younger sibling is just learning these issues. As a freshman, they were given special treatment and allowed to do master's level research in in lieu of most 200, 300, and 400 level classes. As a sophomore, they were complaining about how stupid all of the masters working towards their PHDs were. They were later given exemption from working on group projects because they were so far above everyone else that it was not working well. This was a real issue because they were leading 6 different research projects, and was capable of doing all 6 projects faster than the rest of the teams could on their own. Later given exclusive access to an entire super computer for an entire summer to do AI research, as a junior in college. A first in their 50+ years as a world leader in super computing research Uni. By their senior year, they were making over $100k/year in contract work during their spare time(10-20 hours per week), including working with the FBI, and while handling a multi-million dollar contract to redesign a datacenter. To give context, the median household incoming is around $35k here.

    I told them, just because it's obvious to them does not mean almost anyone else would feel the same way. They can decide if they've been blessed or cursed with such talent.


  • LAYER 8 Global Moderator

    "They may not have noticed that statement."

    I pointed it out and BOLDED it ;)

    I love nothing more to help the lightbulb turn on for someone new to the field..  But that guy seems to be a troll.. He is is posting jokes or asking questions that are jokes ;)

    Be like taking an economics class and asking how there can be more than 1 type of currency.. And why do they have different values..

    And then when given the answer just saying - I don't get it!!

    For any device at any given time you can list off the ips it has, but since new interfaces can be added, new vlans created, new vips created, etc.. It's not possible to give you a list - While I might have address in the 192.168/16 range - someone else might use the 172.16/12 range - or any number of public IP ranges - or etc. etc. etc..  He going to have one hell of time trying to comprehend IPv6 then when interfaces can and do have multiple IPs ;)



  • I don't doubt they could be a troll, but you'd be amazed about "normal" people. I was watching a youtube video last night from some archery instructor who was talking about how many of his customers don't understand how bows and arrows work. He said he tells them to pull back the arrow, then release it. They seem dumbfounded understanding how to "release" the arrow. Let go of the !@#$ string.  How many times and ways does he need to tell the person to let go of the arrow/string before they comprehend. While I can't think of anyone I ever knew who had this issue, I guess it's a normal thing that happens all of the time.

    Sometimes it's hard to tell the difference between a troll and your average person who just doesn't get it.

    Anyway, Have a fun weekend! Come on 2.4 and FreeBSD 11.1!


  • Banned

    It seems to me that the problem is that many people who know this stuff fail to teach it for whatever reason. Either, not a good teacher, not interested in taking the time, or failt to understand the basic level that needs to be taught.

    Sometimes (most of the time) if a non-IT person is asking a question and an IT person is answering it - many (most) of the terms & topics deemed self-explanatory by the IT pro are not to the non-IT pro.

    The solutions to this are
        1. don't waste your time answering, you aren't obligated to so if it is too much to ask then just leave it be
        2. take the time to really break it down in kindergarten terms
              -You can't teach a kid about a traffic signal if they don't clearly understand stop, go, or caution (caution would be particularly complex to a child), or if they don't know their colors. The knowledge gap between an IT pro and a non-IT person is often this wide.

    As a side note, to all non-IT people the stereotypical arrogance of an IT Pro is pretty off putting. It's your job to know and you're good at it, the person you are talking to often has a job entirely unrelated to IT, why should you expect them to know - they are asking you for help correct?

    So all addresses on the firewall, as I understand it:

    Go to:
    https://hostname.domain:port/status.php#NetworkInterfaces
    or
    https://your_firewall's_IP-addr:port/status.php#NetworkInterfaces

    Ctrl+F "inet"

    I think that the range of the IP's that  come up next to "inet" are all of the IP's included for "This Firewall, Self". inet6 would denote IPv6 addresses.

    Example (extra stuff removed for clarity):
    In this example, next to inet you see "192.168.10.1" followed by "192.168.10.255"
    As I understand it "This Firewall" would include 192.168.10.1, 192.168.10.255, and all IP's between the two that are currently in use on the network, this would be automatically updated as IP's are assigned and revoked. This would also include all other interfaces.

    
    vlan10: flags=--------------------------------------------
    	options=--------------------------------------------
    	ether --------------------------------------------
    	inet6 --------------------------------------------
    	inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
    	nd6 options=--------------------------------------------
    	media: --------------------------------------------
    	status: --------------------------------------------
    	vlan: --- vlanpcp: --- parent interface: ---
    	groups: --------------------------------------------
    
    

    If I'm wrong someone will hopefully correct me quickly.

    Either way, that is the kind of explicit example based explanation many of us non-IT personnel often need. I totally understand that the IT Pro's are often not interested in holding our hands like that - that's your right. But it's probably best to just ignore us if you aren't interested.


Log in to reply