Which Interface should the rule be on
I have read the documentation which says : “traffic initiated from the LAN is filtered using the LAN interface rules”.
However I am struggling to really “get it”.
Say a host on network A sends a ping to network B and I want to stop this. Intuitively it seems I need a rule on the network B interface to stop this traffic entering network B. From the docs it seems I actually need a rule on the network A interface to stop the traffic leaving the network A interface.
Is that correct ?
@alan-t PS (adding to my own post)
A more concrete example and actually what precipitated this.
I have a Unifi physical Cloudkey on Network B (the management subnet which also contains the devices this Cloudkey is managing).
The above is a link to what ports are used by this device, but I can summarize:
Local Ingress Ports (UDP 3478,5514 and more) (TCP 8080, 8443 and more)
Ingress ports required for Level 3 Management (UDP 3478) (TCP 8080, 8443 and more)
Egress ports for remote access (UDP 3478, 443) (TCP 443, 8883)
The Egress ports list in the above link contains the note “NOTE: In most cases, these ports will be open and unrestricted by default.” It seems to me that this is actually not true for pfSense because the default deny will prevent anything leaving via the Network B interface unless there is a specific rule to allow it ?
Doing my head in as to how to generate rules for this, because I cannot really grasp the interface issue.
Any help gratefully accepted :)
Say a host on network A sends a ping to network B and I want to stop this. Intuitively it seems I need a rule on the network B interface to stop this traffic entering network B.
Is that correct ?
No, it's just the opposite...
You set the rule at the interface where the traffic is originated (A)
Intuitively it seems I need a rule on the network B interface to stop this traffic
Why is that?? That doesn't seem intuitive to me at all.. Pfsense filters traffic as it enters an interface not as it leaves it.
If you filtered on traffic leaving an interface.. That traffic would transverse the firewall before you stopped. Isn't it better and more efficient to prevent the traffic from even entering the firewall if your not going to let it go where it wants to go..
net A ---- (int A) firewall (int B)----- net B
Where does it make more sense to stop traffic from net A with destination B, at int A or int B? If you stop it at int A, firewall has to do nothing with that traffic. If you stop it from entering net B as it wants to exit int B. That traffic has flowed across the firewall just to get stopped.
While you can do outbound filtering in the floating tab... It makes more sense to stop traffic from entering the firewall.
Firewall rules are evaluated as traffic enters an interface from the network its attached to. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
Traffic is always best filtered before it enters the firewall... Sure you can filter exit if you want, that can be done with pfsense as well in the floating tab... But if your filtering all entrances into a building, there is no reason to also filter the exit.. Think of it as a doorman standing in front of all the doors.. While the doorman might ask to see your ID, or your pass, ticket, or check to see if you are on a list to enter the building... When have you see a doorman asking you for this info to exit the building?
You have inbound traffic from the internet - should you let all that traffic into pfsense, and let it go wherever it wants to go - just to stop it as it tries to exit lan interface to go to the lan net? Or should you stop from even entering the firewall at the wan interface?
bmeeks last edited by bmeeks
To maybe better clarify the issue a bit, when we say "enter" we mean that you imagine yourself as the interface and you are looking at the traffic coming off the wire from the physical NIC. Traffic coming "in" to an interface is coming from the NIC and into the kernel network stack. Outbound traffic on an interface is originating from the kernel stack and heading to the physical NIC to be placed on the wire.
I think I see your "point of view" as maybe considering yourself as the kernel itself. So if you were the kernel, things would be "backwards" from the way we are describing it. But the
pffirewall in pfSense and FreeBSD acts on traffic as it enters or leaves an interface basically at the NIC point (or at least that is the best way to "visualize" the flow). So inbound traffic is analyzed and filtered at the "edge" when it enters from the NIC off the wire. If it passes the filter there, it is routed without any further checking within the kernel itself.
Thanks to all, getting my head around it now (preconceived ideas are hard to ditch !)
(preconceived ideas are hard to ditch !)
Yeah - if what your use to is host firewalls, then I can see where it might be different way to look at it. Stop app X from doing that.. Which would be leaving the host.
While you could stop lan from talking to opt via floating and doing an outbound rule on opt. It makes more sense to just drop it as it tries to enter the firewall.