pfBlockerNG and floating rules: To float or not to float?
-
Hi everyone.
I posted this on Lawrence Systems forums too and doing the same here to reach out to a wider audience.
I have reviewed several pfBlocker-NG setups on YouTube and other sites, including Tom’s videos, and wanted to get your thoughts, suggestions and recommendations on whether you prefer setting up floating rules up with this pfSense package or not.
Thanks in advance!
-
@MarinSNB said in pfBlockerNG and floating rules: To float or not to float?:
Hi everyone.
I posted this on Lawrence Systems forums too and doing the same here to reach out to a wider audience.
I have reviewed several pfBlocker-NG setups on YouTube and other sites, including Tom’s videos, and wanted to get your thoughts, suggestions and recommendations on whether you prefer setting up floating rules up with this pfSense package or not.
Thanks in advance!
I generally stay away from floating rules in almost all cases. I much prefer to be able to see to current rules hierachy on each interface. So I create (and clone) my pfBlockerNG rules to all interfaces - takes a while, but is very much easier to interpret afterwards.
The only exception is that I do use floating rules for access to the pfBlockerNG/Unbound sink webserver’s VIP address -
I have some pfBlocker generated rules as floating/quick. Some of which protect a few forwarded ports on the WAN interface.
I have logging turned on for these rules and, whilst it works as expected. one thing puzzles me: The logged DST IP is sometimes the WAN interface and sometimes the internal forwarded-to IP. I don't understand why this variation occurs. Is it a consequence of 'floating' rules? Whilst the rules concerned are 'floating', they're assigned only to the WAN interface. It seems as if the rule can be evaluated before or after NAT occurs?