Let traffic pass through against block/reject rules using NAT



  • I remember reading this thing in the the pfSense Book about when NAT port forwards would automatically create a reply-to rule overriding the gateway set for that if/dev/alias/etc and therefore allowing it to route the traffic back from where the request came.

    Sort of based on what I think I remember, I have this DMZ of servers that I do not want to connect to the Internet but they do connect freely to other subnets. From outside, a reverse-proxy lets me reach them. If I want select apps on them to reach out I set an outbound proxy per app and not system-wide. On the firewall the rule is set to reject any traffic not going to RFC1918 and... I'm just realizing that doesn't include multicast. Oh well. It works. :)

    I'd like to do something like that but with web servers and without proxy servers, would the firewall grant them outbound traffic if traffic (matching port forward rules, of course,) reaches in ? I know not setting a gateway on the servers would achieve just the same but I'd feel a little more at ease if the firewall actively was matching, or in this case, not, traffic, versus the machines just not knowing which way is out. Does that make sense?


  • Rebel Alliance Global Moderator

    If I understand your question correctly.. Your asking if you can block a servers call to the internet but allow for it to answer in response to something you forwarded.

    Yeah that should work just fine since the return traffic would be allowed by the state created when you forwarded the traffic.. Even if your firewall rule blocks the server from creating its own outbound traffic..



  • That's awesome, there's a lot of little experiments I'm gonna try -- thanks!