Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unidirectional Firewall Rule?

    Firewalling
    2
    2
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      t1lance24
      last edited by

      Hello

      I am trying to find a way to create a firewall rule that only allows UDP traffic within a session to flow in one direction (i.e. disallowing any return packets within the session).
      I would like to replicate a similar action to a stateless firewall where if I have an allow rule, there isn't a silent secondary rule to allow return traffic within the same session (state).

      I am specifically trying to create this for UDP syslog traffic. Since the protocol itself never has return packets within a session, I would like to lock down the firewall rules even more by never allowing bidirectional traffic.

      Does anyone know how to create such a rule in pfsense?

      I have tried adding advanced options to my rules with states set to none and reply to set to no. I have also tried adding floating rules allowing WAN to LAN UDP syslog, then a rule before it blocking any packets flowing the other direction, but that still failed.

      E 1 Reply Last reply Reply Quote 0
      • E
        erasedhammer @t1lance24
        last edited by erasedhammer

        @t1lance24

        In case you never figured this out, or someone else stumbles across this on google.

        You will need 2 rules placed in the “Floating” Rules tab. The first will block return traffic, and the second will be the allow rule. Important note: Both firewall rules must be applied to the same interface. Specifically, they must be both applied to the interface where the traffic is originally coming from (source).

        Example:

        Lets say we have a Syslog server at the IP of 192.168.0.10 listening on port 514. And we also have a client that wants to send Syslog messages to the server, and their IP is the 192.168.50.2. So we must allow traffic to pass from the 192.168.50.2 to the 192.168.0.10 on port 514 without allowing return communication.

        The options you will need set for each rule:

        BLOCK RESPONSE:

        Action: Block
Interface: WAN    #TrafficSourceInterface
Direction: Out
Protocol: UDP
Source: 192.168.0.10    #syslog server
Source Port: 514
Destination: 192.168.50.2     #syslog sender
Destination Port: any
Log: Log packets
State type: None

        ALLOW SYSLOG:

        Action: Pass
Quick: Apply the action immediately on match
Interface: WAN    #TrafficSourceInterface
Direction: In
Protocol: UDP
Source: 192.168.50.2     #syslog sender
Source Port: any
Destination: 192.168.0.10    #syslog server
Destination Port: 514
State type: none

        Should look something like below. I have this all configured on an internal firewall, with syslog senders outside my "WAN" so that will differ with other peoples setups.

        examplefwrule.png

        You can test this out using ncat in udp mode between two machines. Thats originally how I figured it out.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.