Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What does "Filter rule assciation" in NAT rule do? Understanding a Port Forward?

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Velcro
      last edited by

      My question is specific to 2 "Port Forward" rules, however the rules were automatically added after setting up pfBlocker(awesome package!).

      I was able to get pfBlocker working with a small tweak…all good and working but I am trying to understand what the tweek involves and does it compromise my quest for a "kinda" secure/private network?

      See the fix on the pfBlocker section:
      https://forum.pfsense.org/index.php?topic=132072.0

      Does allowing a "Pass rule on the auto NAT port redirection rules" create any more exposure on pfSense? I needed to make a change to the "Filter rule association" feature?

      Thanks ???

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        You do understand that a NAT rule (rdr in PF speak) allows no connection in on its own? There has to be a filter rule as well to allow the incoming traffic and that's what the filter rule association is there for, automatically set for your convinience.

        1 Reply Last reply Reply Quote 0
        • V
          Velcro
          last edited by

          Thanks kpa for the note…

          I am trying to understand both NAT and specifically the DNSBL functionality in pfBlockerNG. Bare with me as I am struggling to understand the flow of "data".

          So the NAT rules are added(or specifically the "Port Forward rules") by pfBlockerNG and redirect traffic IN PFSENSE for port 80(to port 8081) and port 443(to port 8443) so they can be filtered using the lists I added in the "DNSBL Feeds"?

          This is all internal within pfSense and since NAT does not allow external connections to the internet on its own("...NAT rule (rdr in PF speak) allows no connection in on its own..."), the "Filter rule association" creates this rule to allow traffic to exit pfSense? Otherwise I would need to add rules on my individual interfaces for port 8443 and 8081(Currently allowing port 80 and 443)?

          Thanks again...

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            The filter rules are there to allow the traffic to enter pfSense and be forwarded to the destination address of the NAT. Without the filter rules all traffic that was supposed to be port forwarded would not be allowed at all.

            This basic pattern does not change if you use PFBlockerNG or whatever creates the rules, the NAT rules set up the address rewriting (only!) and the filter rules control who can make connections from the outside to the forwarded port(s).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.