How do firewall rules work?
-
Hello everybody,
I have some question about how firewall rules in pfSense are processed. I do know this: https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html
I know that the rules are processed for each interface from top to down and the last invisible rule is a block of everything. I also know that those rules are applied to the interface where the traffic enters the firewall. So far so good.
Is always every rule processed or does pfsense stop processing further rules as soon as one rule matches?
E.g. if I have a rule "pass everything" which is followed by a rule "block everything" the firewall will pass everything. The other way around if I flip the order of these rules. For me it looks like that pfsense stops processing as soon as one rules matches.If the last invisible rule is a "block everything" rule. Why should I use block rules since I could only define pass rules and the rest is blocked anyways?
I have read that it is bad to used inverted block rules like "block !VLAN_XY". Why is that?Let's say I have couple of VLANs. One of them is called IOT_Crap. Now I am setting up rules for the IOT_Crap interface. What effect does the "source" field have? The only source traffic can come from on this interface is from IOT_Crap, isn't it?
Thanks for the help on those basic questions.
Kris
-
@ngnutzer89 said in How do firewall rules work?:
does pfsense stop processing further rules as soon as one rule matches?
Yes.. Unless the rule is not set as quick, rules in floating can be set as quick or not quick. But in general yes - first rule to trigger wins, no other rules are processed.
You might setup up block rules before to filter allows... Maybe you have for example an any any rule on your lan, but you don't want client 192.168.1.100 to be able to use that rule, so above the any any rule you block the .100 box.
Or maybe you want to allow all clients to use dns to IP address xyz, but then you want to block all other dns access, so you create an allow rule to 53 specific IP, and then below that is block all dns.
And then below that is your any any rule - that would of allowed dns, etc.
Other reasons you might use a block rule is you don't want something logged, but you want to block it, while the default deny by default logs, etc.
Depending on what exactly your doing - sure allow specifics, and then the default deny would be all you need.
As to inverted or bang rules - there have been issues when using VIPS that have caused some issues with inverted rules. It is always better to explicitly allow or deny traffic - its easier to read and interpret than a inverted rule. While there are use cases for them - if you are going to use them, just make sure you test that they work exactly how you want them to work.
As source on an interface - generally yes, you would limit the source network to that network, ie IOT_Crap. But maybe the interface is a transit network and there are other downstream networks that will use this interface that are not part of the iot_crap network.
Or maybe you want to allow or block only a specific IP in the iot_crap network, and not the whole network so you would adjust the source to be only the IP or ip/cidr that is the IPs you want to allow or block, etc.
-
@ngnutzer89 said in How do firewall rules work?:
Why should I use block rules since I could only define pass rules and the rest is blocked anyways?
Two reasons. You might want to block a portion of an otherwise permitted block of addressess. Also, a rule you create can generate a log entry, whereas the default rule won't.
-
a little bit tangential to the topic:
pfctl -srThat command when run from the GUI, Diagnostics, Command Prompt, Execute Shell Command or from a console session will give you the expanded rules in the order they get applied. I find it helpful to understand or walk a packet through.
-
@johnpoz Thank you very much for enlightening comments. Now it makes sense to me.
Last question: I set up an openVPN server on my pfsense. Even though I have not assigned the openVPN to an interface openVPN shows up on the firewall rules page. Obviously I cannot define openVPN as a source in my rules since there is no interface. On the other hand side I should not need that since there are only a couple of users and there is no embedded network downwards, right?
What is the benefit to assign a interface to openVPN? Should I do that? -
You would for sure want to assign an interface for a client connection from pfsense to some vpn service. So it can use that interface as a gateway.
As to running vpn server on pfsense. No you don't really need to assign an interface.. But you would could use the tunnel networks that you assigned as ways to filter different clients using different vpn instances.. Or you could assign specific clients specific IPs via the client overrides and then create rules to allow that specific client access to something you block other clients to or block specific clients from talking to specific stuff on your lan side networks, etc.
The general openvpn tab that comes up in firewall rules when you create a vpn instance is what you would use for firewalling different aspects of your vpn clients.