Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Let traffic pass through against block/reject rules using NAT

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 314 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • senseivitaS
      senseivita
      last edited by

      I remember reading this thing in the the pfSense Book about when NAT port forwards would automatically create a reply-to rule overriding the gateway set for that if/dev/alias/etc and therefore allowing it to route the traffic back from where the request came.

      Sort of based on what I think I remember, I have this DMZ of servers that I do not want to connect to the Internet but they do connect freely to other subnets. From outside, a reverse-proxy lets me reach them. If I want select apps on them to reach out I set an outbound proxy per app and not system-wide. On the firewall the rule is set to reject any traffic not going to RFC1918 and... I'm just realizing that doesn't include multicast. Oh well. It works. :)

      I'd like to do something like that but with web servers and without proxy servers, would the firewall grant them outbound traffic if traffic (matching port forward rules, of course,) reaches in ? I know not setting a gateway on the servers would achieve just the same but I'd feel a little more at ease if the firewall actively was matching, or in this case, not, traffic, versus the machines just not knowing which way is out. Does that make sense?

      Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        If I understand your question correctly.. Your asking if you can block a servers call to the internet but allow for it to answer in response to something you forwarded.

        Yeah that should work just fine since the return traffic would be allowed by the state created when you forwarded the traffic.. Even if your firewall rule blocks the server from creating its own outbound traffic..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • senseivitaS
          senseivita
          last edited by

          That's awesome, there's a lot of little experiments I'm gonna try -- thanks!

          Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.