Block outgoing connections ?

lbm_

Hi

If I read the documentation, it says several places that the interface rule tabs are only for ingoing connections, and not outgoing. For this reason blocking outgoing traffic should be done as floating rules.
Ref:
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html
https://docs.netgate.com/pfsense/en/latest/book/firewall/floating-rules.html#direction

I've done some testing, and I can for sure block outgoing traffic from the LAN interface, like so.
How can this be ? I have for sure misunderstood something ?

From the Firewall Rules LAN tab. This blocks access to the internet (and much more). As soon as the rule is disabled again, internet and the other stuff starts working again..

.. There is an allow all rule, right below this one.

heper

Incoming traffic on lan is likely to become outgoing traffic on wan

lbm_

@heper
? your post doesn't really make any sense ? :)

heper

@lbm_

and now ?

Gertjan

Another image :

My LAN IP :

My IP has two IP's : an IPv4 and IPv6.

I'll block them on the LAN firewall page :

Nothing special on this tab, just de classic anti lockout rule, two pfBlockerNG rules my two "test block rules" and a final pass all rule.

When I hit the green button (Apply Change) my PC can still access the pfSense GUI ...... because states are still up.
So, I reset states :

After that, the browser hangs .... My PC has no IPv4 / IPv6 so everything came to a halt (note ICMP still passes ^^).
I block all connections going into the LAN interface.
Local LAN traffic is still possible of cours, that traffic isn't seen by pfSense.

lbm_

Yes, but what exactly has this to do with my rule, i've created ?

From the docs:
"Floating rules are not limited to the inbound direction like interface rules"

The rule is created on the LAN interface with any as the destination ? So because the traffic comes back, it "automatically" becomes an inbound rule ?

kiokoman

" you have for sure misunderstood something"
you never use floating rules if not in a realy not common scenario
"only for ingoing connections, and not outgoing" where did you read this?
rules for LAN interface go on the LAN tab and they are needed for outgoing traffic for sure

lbm_

This post is deleted!

lbm_

@kiokoman
Yes, its highly likely :)

E.g. here:
https://docs.netgate.com/pfsense/en/latest/book/firewall/floating-rules.html#direction
It states "Floating rules are not limited to the inbound direction like interface rules. "

And here:
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-basics.html
"Firewall rules on Interface and Group tabs process traffic in the Inbound direction and are processed from the top down,"

JeGr

Both statements are right. Nevertheless you only use floating rules if you absolutely need them. Otherwise it's simply not necessary to filter the traffic going out one interface if you just filtered it before it got IN on the other side. That's why pfSense Docs states that it filters inbound on all interfaces.

So what's your point or what are you missing to understand how to create rules? I still don't get your OP?

kiokoman

ok first, forget about floating rules, never use it
inbound = traffic generated by your clients are entering the LAN interface and going out from LAN to internet

lbm_

@kiokoman said in Block outgoing connections ?:

ok first, forget about floating rules, never use it
inbound = traffic generated by your clients are entering the LAN interface and going out from LAN to internet

Aaaaah, yes. That explanation, for the stupid people, like me, makes sense. Thank you!

I was thinking it like this.. , which are obviously wrong..
inbound -> to LAN network
outbound -> from LAN network to X ....

Gertjan

@lbm_ said in Block outgoing connections ?:

outbound -> from LAN network to X ....

Now review my post above, and try t block yourself ....
You'll see, it works.
( have another PC (IP) ready to unblock )

lbm_

@Gertjan said in Block outgoing connections ?:

@lbm_ said in Block outgoing connections ?:

outbound -> from LAN network to X ....

Now review my post above, and try t block yourself ....
You'll see, it works.
( have another PC (IP) ready to unblock )

Yes, thats easy, and got it working, and that was the part which I do not really understood why i really did work, because I was not understanding the terms af "inbound" correctly.

JeGr

It's a bit tricky at first but just think about the pfSense Box as some sort of blackbox with lines going into it. WAN being one, LAN being another. Filtering is done "inbound" so whereever a packet "touches" the blackbox first, that's where you should filter it (pass/block etc.) :)