Accessing and interface with no firewall rules
-
Hi Everyone,
Trying to troubleshoot a firewall configuration I have.
The primary goal is to hook up the BMC of my network appliance to an independent interface and subnet in PFsense and block all communication to them (even from LAN).
I have a LAN and this interface. LAN is something like 192.168.1.1/24 and BMC is 10.1.0.1/24. I let the BMC get a IP via DHCP then static mapped it via its MAC address.
I set no rules on the BMC interface which should default to blocking all communication, but I am able to get to the BMC web interface from LAN.
Any thoughts?
-
@pfrouter Rules are applied to the interface where the traffic enters, not exits. You need a block rule on LAN above the default allow rule to block access from LAN to BMC.
-
@kom wouldn't the device not be able to reply if it was blocked?
I set a rule block rule on LAN with source/protocol/port set to any and destination set to the BMC network and it is still working even after resetting the states.
-
@pfrouter The device can reply even if a rule should appear to block it because it's not initiating the conversation. A stateful firewall (like pf) tracks the states and allows replies to traffic. Notice that you don't have rules on WAN and yet you get reply traffic initiated from LAN.
Show your rules on LAN with a screenshot.
-
@kom Thank you, that was a great explanation. I have it sorted now.