Firewall Rule Enabled, Client Can Still Access Gateway?
-
Ok so in my testing think I understand what's happening but I would like a definitive answer.
Assume the defaults with the network from a fresh install on actual hardware.
pfSense --> 192.168.1.1
DNS --> 8.8.8.8PC --> 192.168.1.2
Gateway 192.168.1.1
DNS --> 8.8.8.8Let's say I open 4 Windows cmd prompts and continuously ping the following addresses: 1.1.1.1, 208.67.220.220, google.com, and 192.168.1.1.
Now I have a simple firewall rule in pfSense to enable "LAN net" to "ANY".
With the above I should be able to ping all three addresses without issue continuously.
While the pinging is going on, I disable that firewall rule. The pinging in all 4 cmd prompts that was started earlier continues without fail.
What I've noticed is that new pings (start a new cmd prompt or use an existing one) out to 1.1.1.1, 208.67.220.220, and google.com fail as they should. I'm assuming since the command is started over again a new socket is required.
What I'm not understanding is this next bit. New pings to 192.168.1.1 continue to receive responses. The only thing that will stop this is if I disable/re-enable the interface and start the command over again.
Is this by design? Why is this happening?
-
@patg_84 all comes down to states.. If state is still open, then even if you create rule to block - until the state is no longer there traffic is allowed per the state before rules are evaluated.
You don't need to disable enable an interface to clear states - just kill them in the state table, or wait for them to timeout on their own.
-
@patg_84 What John said :) but docs: https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#check-the-state-table