Subnet & Address w/ source and destination of firewall rules

CatSpecial202 · Jan 11, 2025, 5:43 PM

What is the difference between using these in the source and destination drop down within firewall rules?

Are there any default Pass and Block rules built into these as well?

<interface subnet>

<interface address>

What are examples of when you'd want to use both, either, or neither?

bmeeks · Jan 11, 2025, 9:30 PM

@CatSpecial202 said in Subnet & Address w/ source and destination of firewall rules:

What is the difference between using these in the source and destination drop down within firewall rules?

Are there any default Pass and Block rules built into these as well?
<interface subnet>
<interface address>
What are examples of when you'd want to use both, either, or neither?

<interface subnet> is the network block or subnet the interface resides in. For example, 192.168.0.0/24 (where /24 denotes how many bits comprise the network portion of the address; the remaining bits define the host). That includes all addresses between 192.168.0.1 and 192.168.0.255 (although 255 is the broadcast address and not used for hosts).

<interface_address> is the explicit single address assigned to the interface in pfSense. For example, 192.168.0.1/32 (where the /32 indicates a specific address in the netblock).

You might use <interface_address> when prohibiting certain kinds of traffic from reaching the firewall itself. <interface_subnet> might be used when defining the source of inbound traffic on the interface to exclude any host that does not have an IP within that netblock.

CatSpecial202 · Jan 13, 2025, 3:27 AM

@bmeeks Thank you for the explanation. For each interface, due to the router's "default deny" property, do we need to explicitly allow access to the <interface address> for any rule permitting communication outside its own subnet?

Additionally, if we want to enable broader access outside our intranet, would we need to allow access to the <WAN address>?

johnpoz · Jan 13, 2025, 3:30 AM

@CatSpecial202 said in Subnet & Address w/ source and destination of firewall rules:

would we need to allow access to the <WAN address>?

No - that would be access to the wan address, not the internet.

If you allow access to any, which would be the internet - that would give you access to pfsense IP on that network, because its IP would fall under "any" ;)

CatSpecial202 · Jan 16, 2025, 2:48 AM

@johnpoz

How can I allow an interface access to the internet without using "any" as the destination in the firewall rule?

I understand that "any" would include all interface addresses, which I want to avoid. Is there a better way to limit the destination to only external internet traffic?

chpalmer · Jan 16, 2025, 2:51 AM

@CatSpecial202 said in Subnet & Address w/ source and destination of firewall rules:

How can I allow an interface access to the internet without using "any" as the destination in the firewall rule?

I understand that "any" would include all interface addresses, which I want to avoid. Is there a better way to limit the destination to only external internet traffic?

On the given interface.. set up block rules for each network you do not want to give access to.. then the last rule is the any rule..

Rules are parsed from the top to the bottom. If you block a certain location first the any rule will not override that block rule.

CatSpecial202 · Jan 16, 2025, 3:33 AM

@chpalmer but doesnt this take away the whole principle of a "implicit deny"? We should only be having allow rules within each interface?

chpalmer · Jan 16, 2025, 3:44 AM

@CatSpecial202 No. If you do not have any rules then everything is denied by default. Once you start adding rules then the top rule is parsed first.

block
block
block
then "allow all" that does not violate the block rule(s) above it.

Anything not expressly stated by the rules above then hit the default deny rule.