Rules ordering not working



  • I noticed that my pfblockerng IPV4 lists that are set to allow OUTBOUND traffic to certain IP's/ASN are not working because their rules are BELOW block rules from GeoIP or other block lists.

    A good example, I have a GeoIP rule blocking traffic to/from certain european countries. Yet, I whitelisted some trusted sites in these countries but they're being blocked because of that.

    This question has been brought up several times (ex. https://forum.netgate.com/topic/125250/firewall-rules-order) but in that thread unless I am missing the point (which is possible), the OP's problem has not been fixed, or IMO, not cleanly.

    My rules ordering are set to pfB_Pass/Match | pfB_Block/Reject | pfSense_Pass/Match | pfSence_Block/Reject

    Yet, IPV4 pass rules are BELOW IPV4 (or GeoIP) block rules. Am I misunderstanting the rule order setting? My understanding is that Allow rules (Pass) from IPV4 or DNSBL will be set on top, then their BLOCK counterparts will follow, then pfsense's standard PASS rules will be next and finally pfsense's standard BLOCK rules will be last.

    Clearly, I am wrong. On the thread in reference above, someone suggested setting the lists as "Alias Native" and my understanding is that pfblockerng will ONLY create aliases and no rules. I dont want that. I want pfblockerng to create and manage the rules using the settings and lists I care to manage, then conform to the setting of rule ordering. At least, that's the way I thought this worked.

    Why are the rules ordering not working as expected?

    Finally, I am using floating rules to make rules ordering easier for me. Please indicate if this is a problem.

    Cheers!



  • @pftdm007 said in Rules ordering not working:

    I am using floating rules to make rules ordering easier for me. Please indicate if this is a problem.

    Not a problem if you consider this:

    Floating Rules notes
    Floating rules without quick set process as “last match wins” instead of “first match wins”. Therefore, if a floating rule is set without quick and a packet matches that rule, then it also matches a later rule, the later rule will be used. This is the opposite of the other tab rules (groups, interfaces) and rules with quick set which stop processing as soon as a match is made. See Floating Rules for more details on how floating rules operate.



  • @jahonix said in Rules ordering not working:

    @pftdm007 said in Rules ordering not working:

    I am using floating rules to make rules ordering easier for me. Please indicate if this is a problem.

    Not a problem if you consider this:

    Floating Rules notes
    Floating rules without quick set process as “last match wins” instead of “first match wins”. Therefore, if a floating rule is set without quick and a packet matches that rule, then it also matches a later rule, the later rule will be used. This is the opposite of the other tab rules (groups, interfaces) and rules with quick set which stop processing as soon as a match is made. See Floating Rules for more details on how floating rules operate.

    OK I read the pfsense documentation and get a better idea. Now I see that there is a ckeckbox called "Quick" in the rules. All of my floating rules ghave this box ticked. So from the documentation:

    "Apply filtering in a “last match wins” way rather than “first match wins” (quick)"

    I take that the first match will win. But first (or last) based on what? The rules ordering in pfblocker???


Log in to reply