Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Create rule with bogons

    Firewalling
    3
    4
    461
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      clarknova
      last edited by

      pfSense has a great feature that allows the user to block traffic from private, loopback and reserved address spaces with the simple checking of a couple boxes. It seems like an obvious extension of this functionality was missed in that I don't see any way to also block traffic to these same addresses.

      rfc1918 states that "Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks. If such a router receives such information the rejection shall not be treated as a routing protocol error."

      Is there a way to leverage these tables or aliases when creating my own firewall rules? It's easy enough to create my own alias for rfc1918 addresses, but maintaining other aliases for reserved networks, which change from time to time, seems unwieldy, especially when this appears to be a solved problem with pfSense's existing backend tables.

      Does this possibility already exist? If not, is there a reason it isn't available?

      db

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @clarknova
        last edited by

        @clarknova

        By default, pfSense blocks everything incoming. This means you have to specifically enable what you want to come in. Also, the ISPs should also be blocking those addresses.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        C 1 Reply Last reply Reply Quote 0
        • RicoR
          Rico LAYER 8 Rebel Alliance
          last edited by

          Hmm I think his questions is how to use the bogons table in own Firewall Rules.

          -Rico

          1 Reply Last reply Reply Quote 0
          • C
            clarknova @JKnott
            last edited by

            @JKnott said in Create rule with bogons:

            By default, pfSense blocks everything incoming.

            True on the WAN. But on the LAN it allows every destination. In other words, a LAN host can send a packet to a private IP address and pfSense will dutifully forward it out the WAN if there's no matching local route. rfc1918 says you should not do that.

            @JKnott said in Create rule with bogons:

            Also, the ISPs should also be blocking those addresses.

            What if pfSense is the ISP?

            @Rico said in Create rule with bogons:

            Hmm I think his questions is how to use the bogons table in own Firewall Rules.

            Yes, that's the question, and that would be lovely.

            db

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.