Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block/reject rules are not working anymore…(would better say "as expected")

    Scheduled Pinned Locked Moved Firewalling
    25 Posts 5 Posters 10.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JanZ
      last edited by

      @billm:

      I admit, I haven't read this thread, but why would I want to create two rules for one again?

      –Bill

      Why would you like to do that? Absolutely no need for that…

      All rules are created like before (incoming) by default (pre-selected in pull-down menu).

      If you change pull-down menu to "Out" in rule creation, you can block all trafic to one host with rule in one place (interface) and not with N-1 rules (N=number of interfaces).

      Look, this is not idealistic, philosophic or bohemic suggestion/solution, this one comes from real world. I manage a network with 10 VLANs (lots of hosts) and as I posted before, tightening of security design looked promising on paper while drawing circles, lines and red crosses, but when I started to convert this design to in-only rules, it turned out to a massive nightmare.

      Please read back this thread, maybe it will give you some ideas, why medium to large network configs can't live without out-rules, and even sacrifying the idea of "never letting the unwanted packet into firewall" seems reasonable for the sake of manageability and better control over rules and packets.

      Scott, on monday we will add some cosmetic changes to the other php files, like showing "direction" with small arrow on firewall_rules page or something and then provide you with diff patches.

      Thanx for the audience and all the patience ;D

      /jan

      1 Reply Last reply Reply Quote 0
      • J
        JanZ
        last edited by

        Scott, I believe you got all the patches, including last version of filter.inc.patch, right?

        I'm now testing this on our production firewalls under heavy traffic and everything seems to work fine. I applied my security tightening design idea, but before that I converted some "in" rules to "out" rules on right interfaces and reduced the ruleset list nearly by 70%  8)

        Some snapshots of changed interfaces (from my test box, just not to make my security policy public :) )

        http://haktar.select-tech.si/pfsense/rules_edit.jpg
        http://haktar.select-tech.si/pfsense/rules.jpg

        Any info, what's the status of this patches? I'm now extremly happy with my patched boxes, but I believe, that this is the end of upgrades for me for some time, right?

        /jan

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by

          As I have told you before it is not up to me.

          I would get busy emailing Bill and Chris asking what their opinions of this are.

          1 Reply Last reply Reply Quote 0
          • P
            pcatiprodotnet
            last edited by

            I'm now extremly happy with my patched boxes
            Oh nice, this will save so much hassle.  Is it available for embedded versions yet?

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              I suggest supplying inofficial unsupported patches for this atm. Everybody who's using it can report back here. That gives us at least an overview how well this is working if we consider implementing that later.

              Janz, can you do that?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.