[SOLVED] Curious Floating Rules Behavior



  • @Derelict:

    The reason the packets are dropped in the first two examples is because your floating rule catches the traffic (actually the state creation) as it leaves the LAN interface OUTBOUND.

    Cannot possibly be correct because the packet didnt "leave" the LAN at all - that was the whole point of the test. They "left" the OPT1 and matched the floating rule because it was OUTside relative to the interface.


  • LAYER 8 Netgate

    Of course they didn't leave LAN. They were blocked by the firewall so the state was never created.

    Let's get some terminology clear:

    inside/outside

    LAN/Trusted –- inside --- FIREWALL --- outside --- Internet/Untrusted

    inbound (ingress) / outbound (egress)

    inbound  --->|
                | Interface
    outbound <--



  • @Derelict:

    Of course they didn't leave LAN. They were blocked by the firewall so the state was never created.

    Let's get some terminology clear:

    inside/outside

    LAN/Trusted –- inside --- FIREWALL --- outside --- Internet/Untrusted

    inbound (ingress) / outbound (egress)

    inbound  --->|
                | Interface
    outbound <--

    The drawing posted by johnpoz is spot on. However, it seems you guys both believe that "OUT" means "OUTbound" (or egress). "OUT" is the direction of packets relative to the interface, its is not "egress" at all.. So in my case, packets sent from the raspberry pi were OUTside relative to the LAN.


  • LAYER 8 Netgate

    OUTSIDE is a location
    OUTBOUND is a direction



  • @Derelict:

    OUTSIDE is a location
    OUTBOUND is a direction

    Whatever the case, "OUT" is neither egress traffic nor is it "OUTbound" traffic. It is traffic that is relative to the interface thats been selected.  I agree with johnpoz's drawing 100%.



  • LAYER 8 Netgate

    Exactly. You seem to confuse ingress/egress with inside/outside. That is only true when you are talking about the WAN interfaces.

    Traffic from LAN hosts INGRESSES the firewall on its way INBOUND into the LAN interface. Reply traffic for those connections EGRESSES the LAN interface on its way back OUTBOUND to the LAN hosts - relative to the LAN interface.

    The only problem here is your failure to properly comprehend these terms in English as they relate to common usage when describing firewall behavior.

    There is nothing at all curious about the floating rule behavior you have described.



  • @Derelict:

    Exactly. You seem to confuse ingress/egress with inside/outside. That is only true when you are talking about the WAN interfaces.

    The drawings and tests I performed are 100% on. The confusion regarding IN,OUT,ANY direction is because of people citing it OUT as OUTbound/egress traffic when it is not.

    @Derelict:

    Traffic from LAN hosts INGRESSES the firewall on its way INBOUND into the LAN interface.

    Agree 100%

    @Derelict:

    Reply traffic for those connections EGRESSES the LAN interface on its way back OUTBOUND to the LAN hosts - relative to the LAN interface.

    Test # 2 was the complete opposite and while I agree with your use of terms, the 'EGRESS" traffic you're referring to has nothing to do with the OUT direction.

    @Derelict:

    The only problem here is your failure to properly comprehend these terms in English as they relate to common usage when describing firewall behavior.

    This is as backwards as the terms being discussed.  EGRESS has nothing to do with OUT under floating rules.

    @Derelict:

    There is nothing at all curious about the floating rule behavior you have described.

    I didn't…


  • LAYER 8 Netgate

    The drawings and tests I performed are 100% on. The confusion regarding IN,OUT,ANY direction is because of people citing it OUT as OUTbound/egress traffic when it is not.

    Yes it is, relative to the interface. That is why you select an INTERFACE and a DIRECTION RELATIVE TO THAT INTERFACE.



  • @Derelict:

    The drawings and tests I performed are 100% on. The confusion regarding IN,OUT,ANY direction is because of people citing it OUT as OUTbound/egress traffic when it is not.

    Yes it is, relative to the interface. That is why you select an INTERFACE and a DIRECTION RELATIVE TO THAT INTERFACE.

    OUT is not "egress/outbound" traffic. Think about what you're saying above. If you agree with me that that OUT,IN,ANY are DIRECTION(s) RELATIVE TO an INTERFACE selected, then you cannot possibly say that "OUT" is egress or outbound without contradicting yourself. "OUT" is not outbound traffic


  • LAYER 8 Netgate

    I am done. Someone else's turn.



  • @Derelict:

    I am done. Someone else's turn.

    I think you have finally seen the difference and might be too proud to admit it. Don't beat yourself up because I confused "OUT" as being associated with OUTbound/egress for years until I finally sat down and went through those tests I posted. I see you and johnpoz have many postings in these forums and its great to have people actively helping one another. Don't get flustered. And dont be too proud to admit you might have learned something new in this discussion.


  • LAYER 8 Netgate

    Sigh.



  • @Derelict:

    Sigh.

    ditto



  • @Derelict:

    Sigh.

    Lots of people have holes in their firewall configs for the very reasons being discussed here."OUT" is the direction of packets relative to the interface.


  • LAYER 8 Netgate

    Now you seem to be equating "egress" with "traveling from the inside to the outside. From the trusted to the untrusted. From the LAN to the WAN/Internet."

    That is not it at all. "ingress" is "INto an interface." WAN or LAN, inside or outside, doesn't matter. It is traffic received by an interface coming into (aka ingressing) the firewall.

    "egress" is "OUT of an interface." WAN or LAN, inside or outside, doesn't matter. It is traffic transmitted by an interface going out of (aka eggressing) the firewall.

    Look at this again - Really, honestly look at it:

    inside/outside

    LAN/Trusted –- inside --- FIREWALL --- outside --- Internet/Untrusted

    inbound (ingress) / outbound (egress)

    inbound  --->|
                | Interface
    outbound <--

    You insist on using nonstandard terms. I have been trying to get on the same terminology for several posts.

    No, I don't need your money. I know I am correct. Use it to buy a dictionary.



  • @Derelict:

    "egress" is "OUT of an interface." WAN or LAN, inside or outside, doesn't matter. It is traffic transmitted by an interface going out of (aka eggressing) the firewall.

    So long as you don't associate the above as having anything to do with the "OUT" direction under floating rules, then I agree. If you're saying that it does and that "OUT" is OUTbound/egress traffic then it's simply not correct. And this confusion keeps perpetuating on these forums because people are posting stuff they dont really understand.


  • LAYER 8 Netgate

    That is exactly what it means in floating rules. That is exactly what your tests showed.

    Maybe I will take that $500. Let's make that 0.0625 bitcoin before you try to pay in zim dollars or something.



  • @Derelict:

    That is exactly what it means in floating rules. That is exactly what your tests showed.

    Maybe I will take that $500.

    So just to be absolutely clear, if you're saying then that "OUT" in floating rules applies to egress/outbound traffic, then I'm all for doing a conference with you. My test #2 showed that OUT is NOT egress outbound traffic - it is the direction of traffic relative to the interface. So if you'r still up fo it citing "Maybe I will take that $500." lets arrange for a time this weekend or next.


  • LAYER 8 Netgate

    See there you go again. Can you not read? We are both saying that OUT is RELATIVE TO THE INTERFACE. You keep bandying about this nonsense about "egress outbound traffic."

    Please define "egress outbound traffic" so everyone knows wtf you are talking about.

    There is a diagram in my signature. Use that as a reference when you describe it.

    It is per interface, nobody has ever said any different.



  • @Derelict:

    See there you go again. Can you not read? We are both saying that OUT is RELATIVE TO THE INTERFACE. You keep bandying about this nonsense about "egress outbound traffic."

    Please define "egress outbound traffic" so everyone knows wtf you are talking about.

    There is a diagram in my signature. Use that as a reference when you describe it.

    It is per interface, nobody has ever said any different.

    Gotta go to work, but Ill respond tonight/tomorrow. I feel like Bill Nye debating Ken Ham with comments like "Can you not read?".


  • LAYER 8 Global Moderator

    "Specifically, citing "green  is outbound (egress).." is a total contradiction to the drawing you posted. That green arrow is not "OUTbound", it is OUTside relative the the LAN. "

    I suggest you research ingress and egress.  These are standard networking 101 terms that if you do not grasp your going to have a hard time of it.

    edit:  Lets try it another way.  A nic or even a port on a switch is like putting a door on a house..  With pfsense or the switch being the house.  If the traffic is going into the interface from the network it is ingress - your going into the house..  if the traffic exiting the nic towards the network then its egress (leaving the house)..


  • LAYER 8 Netgate

    Good God, man. If there was confusion before you have only compounded it.


  • LAYER 8 Global Moderator

    Here maybe this video will help ;)

    Youtube Video



  • LAYER 8 Netgate

    Even that video confuses outside/inside.

    Unless you're talking about outside/inside the firewall.


  • LAYER 8 Global Moderator

    Outside is always the wire..  Connected to the nic/port..  When your talking ingress/egress to a port/nic


  • LAYER 8 Netgate

    I disagree.

    When talking outside/inside in a firewall context outside is untrusted and inside is trusted… in general terms. Toss in dmz as another branch if you like.

    Everything on every interface is "on the wire" at some point. Outside/inside have special meaning.

    Traffic/connections on a NIC is either received (inbound) or transmitted (outbound).


  • LAYER 8 Global Moderator

    "Traffic/connections on a NIC is either received (inbound) or transmitted (outbound)."

    Well stated… But the wire that plugs into the nic is always 'outside" the device... Traffic is either put on the wire from the device, egress.. Or in to the device from the wired - ingress..

    Agree you have to be clear on what context your talking with a firewall when you say outside inside.. But thought the question was in/out of an interface.. ingress, egress.. Where the rules apply - so the context seems to be clear..


  • LAYER 8 Netgate

    Clear to everyone except….



  • @Kryptos1:

    @Derelict:

    No, it controls traffic in the outbound direction on that interface. It has zero to do with whether the interface is considered to be "inside" or "outside" as is generally referred to in firewall/ASA terms.

    The second example in that test sheet confirms pfsense does not behave that way. Anyone can prove it to themselves by simply 1) starting with a factory install of pfsense 2), place two machines on two different interfaces, 3) create a floating rule specifying the LAN only (this is key because you're testing how pfsense processes OUT vs IN  packets), all Ipv4, enabled quick match, and action of drop, 4) on the OPT interface, create a normal rule under the interface tab to pass all traffic ANY to ANY (which ensures pfSense's default policy of drop doesn't interfere with the test). Then simply test all three directions (all, in, out) by passing a packets from the OPT station to the LAN and vice versa.

    When testing the OUT direction on the floating rule, packets originating from the OPT to the LAN station DROP - because they are OUT[side] relative the the LAN.

    When testing the ANY direction on the floating rule, packets originating from the OPT to the LAN station DROP - because they include packets that are OUT[side] relative the the LAN.

    When testing the IN direction on the floating rule, packets originating from the OPT to the LAN station PASS - because they are not OUT[side] relative the the LAN (i.e. the rule simply doesn't apply).

    Remember, the floating rule didn't even specify the OPT at all - thus "OUT[bound]" couldn't possibly be "OUT[bound]". The second test proves this, that the floating rule does not process packets as being "OUT[bound]" but rather OUT[side] (i.e. the direction of the packet relative to the interface that's been selected in the floating rule's config.)

    "When testing the OUT direction on the floating rule, packets originating from the OPT to the LAN station DROP -because they are OUT[side] relative the the LAN."

    • because they are passed from the OPT client to (INBOUND) the OPT interface and then routed to the LAN interface which sends them OUTBOUND to their destination. Because they are heading OUTBOUND from the LAN interface, they meet the OUTBOUND "drop" LAN floating rule criteria and are dropped.
    [PFSENSE BOX]     OPT INTERFACE (ADDRESS)  <---     OPT CLIENT (NET)    =    (INBOUND TO OPT INTERFACE)
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)   --->    LAN CLIENT (NET)    =    (OUTBOUND FROM LAN INTERFACE) = DROP BECAUSE RULE APPLIES TO OUTBOUND PACKETS
    &
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)  <---     LAN CLIENT (NET)    =    (INBOUND TO LAN INTERFACE) = PASS PACKET OUT (OUTBOUND) THE LAN INTERFACE BECAUSE MY LOGIC TELLS ME TO "PASS OUT" PACKETS  MEETING THIS RULE. 
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)   --->    LAN (NET)           =    (OUTBOUND FROM THE LAN INTERFACE) = YOU MUST EXCLUDE LAN NET FROM SOURCE IN THE RULE TO AVOID THIS STEP. 
    

    "When testing the ANY direction on the floating rule, packets originating from the OPT to the LAN station DROP - because they include packets that are OUT[side] relative the the LAN."

    • same as above but will also drop packets originating from a LAN client heading to (INBOUND) the LAN interface.
    [PFSENSE BOX]     OPT INTERFACE (ADDRESS)  <---     OPT CLIENT (NET)    =    (INBOUND TO OPT INTERFACE)
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)   --->    LAN CLIENT (NET)    =    (OUTBOUND FROM LAN INTERFACE) = DROP BECAUSE RULE APPLIES TO EITHER INBOUND OR OUTBOUND (ANY) PACKETS
    &
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)  <---     LAN CLIENT (NET)    =    (INBOUND TO LAN INTERFACE) = DROP BECAUSE RULE APPLIES TO EITHER EITHER INBOUND OR OUTBOUND (ANY) PACKETS
    

    "When testing the IN direction on the floating rule, packets originating from the OPT to the LAN station PASS - because they are not OUT[side] relative the the LAN (i.e. the rule simply doesn't apply)."

    • because they are passed from the OPT client to (INBOUND) the OPT interface and then routed to the LAN interface which sends them OUTBOUND to their destination. Because they are heading OUTBOUND from the LAN interface, they do not meet the INBOUND "drop" LAN floating rule criteria and are passed.
    [PFSENSE BOX]     OPT INTERFACE (ADDRESS)  <---     OPT CLIENT (NET)    =    (INBOUND TO OPT INTERFACE)
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)   --->    LAN CLIENT (NET)    =    (OUTBOUND FROM LAN INTERFACE) = PASS BECAUSE RULE APPLIES TO INBOUND PACKETS ONLY, THIS PACKET IS OUTBOUND
    &
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)  <---     LAN CLIENT (NET)    =    (INBOUND TO LAN INTERFACE) = DROP BECAUSE RULE APPLIES TO INBOUND 
    


  • @wussupi83:

    @Kryptos1:

    @Derelict:

    No, it controls traffic in the outbound direction on that interface. It has zero to do with whether the interface is considered to be "inside" or "outside" as is generally referred to in firewall/ASA terms.

    The second example in that test sheet confirms pfsense does not behave that way. Anyone can prove it to themselves by simply 1) starting with a factory install of pfsense 2), place two machines on two different interfaces, 3) create a floating rule specifying the LAN only (this is key because you're testing how pfsense processes OUT vs IN  packets), all Ipv4, enabled quick match, and action of drop, 4) on the OPT interface, create a normal rule under the interface tab to pass all traffic ANY to ANY (which ensures pfSense's default policy of drop doesn't interfere with the test). Then simply test all three directions (all, in, out) by passing a packets from the OPT station to the LAN and vice versa.

    When testing the OUT direction on the floating rule, packets originating from the OPT to the LAN station DROP - because they are OUT[side] relative the the LAN.

    When testing the ANY direction on the floating rule, packets originating from the OPT to the LAN station DROP - because they include packets that are OUT[side] relative the the LAN.

    When testing the IN direction on the floating rule, packets originating from the OPT to the LAN station PASS - because they are not OUT[side] relative the the LAN (i.e. the rule simply doesn't apply).

    Remember, the floating rule didn't even specify the OPT at all - thus "OUT[bound]" couldn't possibly be "OUT[bound]". The second test proves this, that the floating rule does not process packets as being "OUT[bound]" but rather OUT[side] (i.e. the direction of the packet relative to the interface that's been selected in the floating rule's config.)

    "When testing the OUT direction on the floating rule, packets originating from the OPT to the LAN station DROP -because they are OUT[side] relative the the LAN."

    • because they are passed from the OPT client to (INBOUND) the OPT interface and then routed to the LAN interface which sends them OUTBOUND to their destination. Because they are heading OUTBOUND from the LAN interface, they meet the OUTBOUND "drop" LAN floating rule criteria and are dropped.
    [PFSENSE BOX]     OPT INTERFACE (ADDRESS)  <---     OPT CLIENT (NET)    =    (INBOUND TO OPT INTERFACE)
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)   --->    LAN CLIENT (NET)    =    (OUTBOUND FROM LAN INTERFACE) = DROP BECAUSE RULE APPLIES TO OUTBOUND PACKETS
    &
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)  <---     LAN CLIENT (NET)    =    (INBOUND TO LAN INTERFACE) = PASS PACKET OUT (OUTBOUND) THE LAN INTERFACE BECAUSE MY LOGIC TELLS ME TO "PASS OUT" PACKETS  MEETING THIS RULE. 
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)   --->    LAN (NET)           =    (OUTBOUND FROM THE LAN INTERFACE) = YOU MUST EXCLUDE LAN NET FROM SOURCE IN THE RULE TO AVOID THIS STEP. 
    

    "When testing the ANY direction on the floating rule, packets originating from the OPT to the LAN station DROP - because they include packets that are OUT[side] relative the the LAN."

    • same as above but will also drop packets originating from a LAN client heading to (INBOUND) the LAN interface.
    [PFSENSE BOX]     OPT INTERFACE (ADDRESS)  <---     OPT CLIENT (NET)    =    (INBOUND TO OPT INTERFACE)
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)   --->    LAN CLIENT (NET)    =    (OUTBOUND FROM LAN INTERFACE) = DROP BECAUSE RULE APPLIES TO EITHER INBOUND OR OUTBOUND (ANY) PACKETS
    &
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)  <---     LAN CLIENT (NET)    =    (INBOUND TO LAN INTERFACE) = DROP BECAUSE RULE APPLIES TO EITHER EITHER INBOUND OR OUTBOUND (ANY) PACKETS
    

    "When testing the IN direction on the floating rule, packets originating from the OPT to the LAN station PASS - because they are not OUT[side] relative the the LAN (i.e. the rule simply doesn't apply)."

    • because they are passed from the OPT client to (INBOUND) the OPT interface and then routed to the LAN interface which sends them OUTBOUND to their destination. Because they are heading OUTBOUND from the LAN interface, they do not meet the INBOUND "drop" LAN floating rule criteria and are passed.
    [PFSENSE BOX]     OPT INTERFACE (ADDRESS)  <---     OPT CLIENT (NET)    =    (INBOUND TO OPT INTERFACE)
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)   --->    LAN CLIENT (NET)    =    (OUTBOUND FROM LAN INTERFACE) = PASS BECAUSE RULE APPLIES TO INBOUND PACKETS ONLY, THIS PACKET IS OUTBOUND
    &
    [PFSENSE BOX]     LAN INTERFACE (ADDRESS)  <---     LAN CLIENT (NET)    =    (INBOUND TO LAN INTERFACE) = DROP BECAUSE RULE APPLIES TO INBOUND 
    

    Hello wussupi83,

    You nailed it. The green boxes show the area where everyone is trying to say the same thing using different terms. "Outside" to me is whatever is "plug[ed] into the nic is always 'outside" as cited by johnpoz; "Outside is always the wire.. Connected to the nic/port..". Derelict associates "outside/inside" to mean trusted vs untrusted. Whatever the case, In/Out under floating rules are directions relative to the interface.



Log in to reply