<![CDATA[Unidirectional Firewall Rule?]]>Hello

I am trying to find a way to create a firewall rule that only allows UDP traffic within a session to flow in one direction (i.e. disallowing any return packets within the session).
I would like to replicate a similar action to a stateless firewall where if I have an allow rule, there isn't a silent secondary rule to allow return traffic within the same session (state).

I am specifically trying to create this for UDP syslog traffic. Since the protocol itself never has return packets within a session, I would like to lock down the firewall rules even more by never allowing bidirectional traffic.

Does anyone know how to create such a rule in pfsense?

I have tried adding advanced options to my rules with states set to none and reply to set to no. I have also tried adding floating rules allowing WAN to LAN UDP syslog, then a rule before it blocking any packets flowing the other direction, but that still failed.

]]>https://forum.netgate.com/topic/164801/unidirectional-firewall-ruleRSS for NodeMon, 20 Apr 2026 06:11:01 GMTThu, 01 Jul 2021 11:46:12 GMT60<![CDATA[Reply to Unidirectional Firewall Rule? on Sun, 15 May 2022 14:06:27 GMT]]>@t1lance24

In case you never figured this out, or someone else stumbles across this on google.

You will need 2 rules placed in the “Floating” Rules tab. The first will block return traffic, and the second will be the allow rule. Important note: Both firewall rules must be applied to the same interface. Specifically, they must be both applied to the interface where the traffic is originally coming from (source).

Example:

Lets say we have a Syslog server at the IP of 192.168.0.10 listening on port 514. And we also have a client that wants to send Syslog messages to the server, and their IP is the 192.168.50.2. So we must allow traffic to pass from the 192.168.50.2 to the 192.168.0.10 on port 514 without allowing return communication.

The options you will need set for each rule:

BLOCK RESPONSE:

Action: Block
Interface: WAN    #TrafficSourceInterface
Direction: Out
Protocol: UDP
Source: 192.168.0.10    #syslog server
Source Port: 514
Destination: 192.168.50.2     #syslog sender
Destination Port: any
Log: Log packets
State type: None

ALLOW SYSLOG:

Action: Pass
Quick: Apply the action immediately on match
Interface: WAN    #TrafficSourceInterface
Direction: In
Protocol: UDP
Source: 192.168.50.2     #syslog sender
Source Port: any
Destination: 192.168.0.10    #syslog server
Destination Port: 514
State type: none

Should look something like below. I have this all configured on an internal firewall, with syslog senders outside my "WAN" so that will differ with other peoples setups.

examplefwrule.png

You can test this out using ncat in udp mode between two machines. Thats originally how I figured it out.

]]>https://forum.netgate.com/post/1042265https://forum.netgate.com/post/1042265Sun, 15 May 2022 14:06:27 GMT