What does "Filter rule assciation" in NAT rule do? Understanding a Port Forward?



  • My question is specific to 2 "Port Forward" rules, however the rules were automatically added after setting up pfBlocker(awesome package!).

    I was able to get pfBlocker working with a small tweak…all good and working but I am trying to understand what the tweek involves and does it compromise my quest for a "kinda" secure/private network?

    See the fix on the pfBlocker section:
    https://forum.pfsense.org/index.php?topic=132072.0

    Does allowing a "Pass rule on the auto NAT port redirection rules" create any more exposure on pfSense? I needed to make a change to the "Filter rule association" feature?

    Thanks ???



  • You do understand that a NAT rule (rdr in PF speak) allows no connection in on its own? There has to be a filter rule as well to allow the incoming traffic and that's what the filter rule association is there for, automatically set for your convinience.



  • Thanks kpa for the note…

    I am trying to understand both NAT and specifically the DNSBL functionality in pfBlockerNG. Bare with me as I am struggling to understand the flow of "data".

    So the NAT rules are added(or specifically the "Port Forward rules") by pfBlockerNG and redirect traffic IN PFSENSE for port 80(to port 8081) and port 443(to port 8443) so they can be filtered using the lists I added in the "DNSBL Feeds"?

    This is all internal within pfSense and since NAT does not allow external connections to the internet on its own("...NAT rule (rdr in PF speak) allows no connection in on its own..."), the "Filter rule association" creates this rule to allow traffic to exit pfSense? Otherwise I would need to add rules on my individual interfaces for port 8443 and 8081(Currently allowing port 80 and 443)?

    Thanks again...



  • The filter rules are there to allow the traffic to enter pfSense and be forwarded to the destination address of the NAT. Without the filter rules all traffic that was supposed to be port forwarded would not be allowed at all.

    This basic pattern does not change if you use PFBlockerNG or whatever creates the rules, the NAT rules set up the address rewriting (only!) and the filter rules control who can make connections from the outside to the forwarded port(s).


Log in to reply