Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rule Precedence

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      BenKenobe
      last edited by

      Can anyone fill me in on Rule / filtering order / precedence.

      I am running 1.2.3RC1m I have Snort running with the latest rules.

      Firstly I have been getting hammered by an IP address in China - port scanning all of my public IP addresses consistently for days so I added a 'block' rule on the WAN for the entire subnet he/she is on  222.208.183.0/24 and set the protocol to ANY and the port sources and destinations to ANY ….

      I am not seeing any kind of block in pFSense syslogs at all because syslog won't run (keeps exiting on signal 15) but I am seeing an alert in Snort - Snort is actually blocking it but only for 60 minutes then we go through the whole cycle again.

      So who is the big dog - pFSense or Snort - surely pFSense should stop any blocked addresses from even wasting my CPU cycles (getting processed by Snort).

      1 Reply Last reply Reply Quote 0
      • G Offline
        gollo
        last edited by

        I've got a similar issue.

        I'm running 1.2 stable and would like to block individual IP's.  I've setup a deny any rule on the WAN interface from source <offending ip="">and the IP can still connect to all resources.  I did get it to block successfully after changing it from single host to network and putting in IP/24 but that is a really broad swath.  I would much rather be able to block a single IP.</offending>

        1 Reply Last reply Reply Quote 0
        • E Offline
          Eugene
          last edited by

          If you do not specify any single rule on WAN everything gets blocked. DO you have any servers inside and you have to NAT from WAN to LAN?

          http://ru.doc.pfsense.org

          1 Reply Last reply Reply Quote 0
          • G Offline
            gollo
            last edited by

            Yes.  I have a webserver on the inside and those NAT rules work fine.

            The firewall is working as advertised.  It drops traffic if the port is not open.  But since port 80,443,ftp is open it allows all traffic on those ports to the webserver.  What I want to do is block a single IP from accessing anything so I put in a deny all rule at the top of the list and it doesn't work, the user can still access everything.

            Thanks for the response.

            1 Reply Last reply Reply Quote 0
            • E Offline
              Eugene
              last edited by

              @gollo:

              Yes.  I have a webserver on the inside and those NAT rules work fine.

              The firewall is working as advertised.  It drops traffic if the port is not open.  But since port 80,443,ftp is open it allows all traffic on those ports to the webserver.  What I want to do is block a single IP from accessing anything so I put in a deny all rule at the top of the list and it doesn't work, the user can still access everything.

              Thanks for the response.

              Could you please check:

              1. Specify the source IP as 'Single host' and give us pfctl -sr | grep <wan_interface_name>2) Specify the source IP as 'Network /24' and give us pfctl -sr | grep <wan_interface_name>3) Specify the source IP as 'Network /32', check if it works and give us pfctl -sr | grep <wan_interface_name></wan_interface_name></wan_interface_name></wan_interface_name>

              http://ru.doc.pfsense.org

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.