Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Invert Rule question

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 231 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bhjitsense
      last edited by

      I thought I had it all figured out. I want traffic destined to 192.168.10.2 to ONLY be able to communicate over power 443 (and nothing else). So I made a block rule;
      Screen Shot 2019-08-13 at 8.52.00 AM.png

      I figured I'm reading this as "block all traffic to this address unless it's over port 443"

      Obviously I'm doing something wrong, as traffic over other ports to this address is being passed.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I read that rule as "Block all traffic to port 443 everywhere except 192.168.10.2"

        Also remember to reset your states after making a rule change that blocks traffic. Existing states are not affected by a rule change.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Where did you put that rule, what rules are above it? What rules are below it.

          Rules are evaluated top down, first rule to trigger wins, no other rules evaluated. As traffic enters the interface from that network.

          That rule says if destination is anything other than 192.168.10.2 to port 433 block. But it doesn't allow traffic to anything, if traffic doesn't match that rule it just moves to next rule.

          So say your dest was 192.168.10.100 port 80, it would look to rules below.

          Also ! rules can be tricky if you have any vips setup.. You should prob be explicit in your rule design.

          If you want to allow only traffic to 192.168.10.2 on port 443 then allow that, and below it put a block all rule.

          Really need to see your full set of rules to know what is happening.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.