Basic Question to further my understanding of firewalling mechanics



  • When selecting a source for a rule to be applied, would there ever be a use case to select a network other than the one in which the rule is being created?

    For example:
    Interfaces: WAN, LAN and VLAN: PROD

    GUI: Firewall > Rules > LAN:
    Source: PROD net
    Destination: any

    Why does it give you the option?

    or perhaps another bit that could clarify things:
    Why would one want to use "any" as a source as opposed to the network interface that the rule pertains to? I assume any means 0.0.0.0/0...?





  • That's what I was looking for, thank you!



  • Hello!

    I am still learning pfsense, myself. About the time I asked that original question I put together a base temple for interface rules based on posts in the forums by the experts. I use it as a "cover the bases", "state the obvious", "belt & suspenders" kind of rule base for new interfaces. At the risk of embarrassing myself, here it is :). Maybe it will help you. I am sure the experts will jump in with corrections and improvements.

    pfSense.glassy.local - Firewall- Rules- PRI 2020-04-19.png

    John



  • @serbus John, your bottom rule in the PRI list is redundant. It's saying that on your PRI interface, to block any source to any destination over any port. It's also got zero states with zero traffic.

    Your 2 PRI to WAN rules can be summed up with a single rule - protocol both IPv4 and IPv6, source PRI net to any destination.

    Quick question - are there any hosts on this PRI interface, since none of the rules have any hits on them? Looks kinda like a ghost town. What is the PRI network, a guest network?

    Your PRI to LAN block rule would never get hit, unless you've got IPv6 running on your network. You have an allow rule directly above your block rule, first rule to match wins, no other rules below are evaluated.

    Hope that helps a little... :)

    Jeff


Log in to reply