Firewall Rules - Why aren't they working immediately to block Internet Access
I have been working with VLANs and using some of my OPT LAN Ports for different subnets. I've finally wrapped my head around most of it except for one thing. The Firewall rules.
So here is what I have going on in my testing lab.
- I've got a Windows 7 laptop on VLAN20 getting an IP address of 192.168.20.100
- I've created the standard any, any rule so that VLAN20 can get out to the Internet.
- I open up a cmd window on my laptop (on VLAN20) and start continuously pinging google. (ping 184.108.40.206 - t). All is good. I get continuous replies.
- I go in to pfSense and disable that any, any rule.
- My Laptop is still pinging Google. What the? >:(
- The only way I have found to make it stop pinging Google is to stop the ping. Wait about 20 seconds and restart the ping. Then I get request timed out.
My Question: Why is it that I am able to continuously ping when I disable the any, any Firewall Rule to allow me to get out to the Internet? And yes, I have clicked on the "Monitor" link to see the process and it shows "Done" at the end.
I ask this question because I remember when using Linux to route if I input block or pass rules they went into effect immediately and I dropped pings as soon as the rule was applied.
I noticed this problem when I started inputting firewall rules to block VLAN20 from getting to the Lan. I saw the same problem with being able to ping computers on the LAN. When I turned the firewall rule on to block, they could still ping items on the LAN (if they were continually pinging). I'd break the ping, wait 20 seconds, and then I couldn't ping them.
I also saw this post https://forum.pfsense.org/index.php?topic=15632.0 but wondered if anyone had any other insight on this. Jimp has a good explanation but I could swear when using Linux it worked immediately. I could be mistaken though cause it's been a while.
Tried killing the firewall states ?
Diagnostics-> States -> Reset States
If there is a state active doesn't matter what you change the firewall rules to do.. You would have to kill any active states or let them time out on their own, have the client close them, etc.
Other firewalls might reset all states upon a change in rules, etc. Which is why some firewalls might make it look like rules take effect immediate. The advantage of not killing all states up any change in firewall rules is you can make changes like allowing traffic without worry about killing all active sessions, etc. Or even ad blocks for specific clients and not kill other sessions..
If you create a rule be for all or specific just go into the states table and kill off the active states that are in contrast to the rule you want to enforce - or just kill them all off, etc.
I think this could quite possibly be the best IT Forum EVER!!!
As soon as I went to Diagnostics–>Status-->States-->Reset States that description was exactly what I was looking for. Thanks NoBadTheBad.
And once again johnpoz your explanations are invaluable and make complete sense of how and why things work the way they do. Dude, you're awesome!
Just had to test it. Damn! You guys are smart. Yep, worked perfectly.
In general, pfSense only applies rules to newly created states, existing states are not checked.